Search This Blog

Saturday, July 18, 2015

Trouble with ADFS Proxy Certificate update\renewal

We recently had to apply new certificates to an ADFS infrastructure. There are plenty of articles out there that detail how to do this, however we came an across and issue after the supposed successful replacement\install.

In general we followed this procedure

http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx

However what we discovered was that the ADFS proxy server would not update the Certificate. The command to do it

Set-WebApplicationProxySslCertificate

would complete successfully.

When you run the

Get-WebApplicationProxySslCertificate

we were getting back no results. It did not error, just returned nothing.

We tried a number of things to fix this, all to no avail in the end.

Ultimately we had to remove the Web Application Role from the server and then re-add it again, and then step through the configuration wizard.

During the troubleshooting we found an 383 event in the event log, not sure if that is indicative of this problem, but I include here for future reference and comment

https://social.technet.microsoft.com/Forums/windowsserver/en-US/c0889fba-29ce-4215-8423-773c0c386f71/2012r2-web-application-proxy-adfs-error-event-383-corrupted-config-file?forum=winserverDS

Reference:

https://technet.microsoft.com/en-us/library/dn770156.aspx

http://blogs.msdn.com/b/javaller/archive/2014/06/18/why-isn-t-my-adfs-ssl-certificate-updating.aspx

http://www.scug.nl/infrastructure/part-2-update-active-directory-federation-services-3-0-web-application-proxy-ssl-certificates/

http://blogs.perficient.com/microsoft/2014/05/office-365-replacing-the-ssl-certificate-in-ad-fs-3-0/


Share/Bookmark

4 comments:

  1. I had the same problem and solved it like this.

    In a administrative command prompt enter:
    netsh http show ssl

    Copy all the output for 0.0.0.0:443 and externalip:443
    Delete both bindings:
    Netsh http delete sslcert ipport=0.0.0.0:443
    Netsh http delete sslcert ipport=externalip:443

    Add both bindings with the correct certificate thumbprint:

    netsh http add sslcert ipport=0.0.0.0:443 certhash=xxxx appid=xxxxxx clientcertnegotiation=disable

    netsh http add sslcert ipport=externalip:443 certhash=xxxx appid=xxxxxx clientcertnegotiation=disable

    Restart WAP services

    ReplyDelete
  2. The above comment working for me.

    For some reason after changing out a cert, the bindings on my WAP server disappeared. This problem was noticed because the ADFS portal was accessible to internal computers, but not external. I had to manually set the bindings up again.

    The correct appid for a WAP server is {f955c070-e044-456c-ac00-e9e4275b3f04}

    For the command to run successfully i had to enter netsh http mode first:

    netsh
    http
    add sslcert ipport=0.0.0.0:443 certhash=yourcertthumbprint appid={f955c070-e044-456c-ac00-e9e4275b3f04} clientcertnegotiation=disable
    add sslcert ipport=externalip:443 certhash=yourcertthumbprint appid={f955c070-e044-456c-ac00-e9e4275b3f04} clientcertnegotiation=disable

    For the ADFS 3.0 server (if you needed to update these binding as well) the appid would be {5d89a20c-beab-4389-9447-324788eb944a}. You would be setting up at least three bindings, one for localhost:443, one for your site FQDN:443 and one for your site FQDN:49443. Client cert negotiation should be enabled for port 49443.

    ReplyDelete
  3. this worked for me however my previous config had used hostnameport so I had to add certstorename=MY and some other settings which I found on my other node:
    Netsh
    Http
    add sslcert hostnameport=hostname.org.au:443 certhash=xxxxxxxxxxxxxxx appid={5d89a20c-beab-4389-9447-324788eb944a} clientcertnegotiation=disable certstorename=MY sslctlstorename=AdfsTrustedDevices

    add sslcert hostnameport=hostname.org.au:49443 certhash=xxxxxxxxxxxxxxxx appid={5d89a20c-beab-4389-9447-324788eb944a} clientcertnegotiation=enable certstorename=MY

    ReplyDelete
  4. Wow, this was nasty, i.e. WAP broke, but no warnings,errors,event log entries, system errors, etc. i.e. nothing showed broken, but sure enough the NIC bindings for SSL were gone. This fixed it. Thank you!! 8D...ave

    ReplyDelete