AD FS 3.0 replace SSL certificate • Nolabnoparty

Home
About
Publications
Virtualization 
Backup 
Microsoft 
Home Lab
AD FS 3.0: replace SSL certificate
 Paolo Valsecchi
4–5 minutes
 27/04/2016
 1 Comment Reading Time:
To replace SSL certificate for the AD FS Server in a Office 365
environment, you need to perform some actions to re-establish the
proper functionality.
When the SSL certificate expires, the Office 365 authentication process
doesn't work and the users are no longer able to access their emails.
The replacement of the SSL certificate is the only solution to get the
service back.
Import and replace SSL certificate in AD FS
server
To perform an SSL certificate request for AD FS, you can follow this
detailed guide.
Log onto the AD FS server and from the Certificates Management
Console import the new certificate to the server in the Personal
certificate store. Right click Certificates item and select All Tasks >
Import option.
English
Italiano
Buy Me A Coffee
Search the site
Search
YOUTUBE
Subscribe to my YouTube
channel
Backup, Data Protection and DR
NEWSLETTER
Get new posts by email:
Enter your email
Subscribe
PARTNERS
Select the new signed SSL certificate received from the CA and click
Next.
CATEGORIES
Select Category
ARCHIVES
Select Month
When the certificate has been imported successfully, click OK to close
the window.
MOST POPULAR
access …
Veeam Worker on
Proxmox VE: "Cannot
Omnissa Horizon enable
copy and paste from …
Monitoring Proxmox with
InfluxDB and Grafana
Make sure that the service account used to run the AD FS service is
granted read access to the private key. Right click the new certificate
Deploy the Omnissa Edge
Gateway
Veeam v12.3.2.4165 patch
and select All Tasks > Manage Private Keys.
Nakivo Backup and
Replication v11.1 released
Volumes
Packaging an application
with Omnissa App
Proxmox VE 8 to 9
upgrade guide
Nakivo v11.0.4 with
vSphere 9 support
Assign read permission to the service account used to run the AD FS
service and click OK.
Export the new certificate including the private key and copy it to the
WAP server. To export, select Certificates and right click the new
imported certificate then select All Tasks > Export option.
Specify the option Yes, export the private key and click Next.
Launch the AD FS Management Console, expand Service item within the
left pane and click Certificates. Under Service communications the
certificate is displayed as expired. Click the link Set Service
Communications Certificate to set the new certificate.
The system presents all the installed certificates. Select the valid
certificate and click OK.
Click OK to close the message. The Exipration Date of the certificate
under Service communications has been updated.
Restart the AD FS service.
Changes made in the GUI does not change the configuration based on
the HTTP.sys. To complete the configuration, we need to identify the
thumbprint of the certificate and execute a PowerShell command. Right
click the new imported SSL certificate and select Open.
Select Details tab, find the Thumbprint for the new certificate and write
it down removing the space.
In this example the value is
e8fd5016542796214e94f72d76095f9fc587c731.
From PowerShell run the command:
 Set-AdfsSslCertificate –Thumbprint <ThumbprintCertificate>
PS C:\> Set-AdfsSslCertificate –Thumbprint
e8fd5016542796214e94f72d76095f9fc587c731
The command has been executed.
Restart the server or the AD FS service on the server to complete the
configuration change.
Import new certificate in the WAP server
Log onto the WAP server and import the new certificate previously
copied from the AD FS server (check out this guide for additional
details). Open the Certificate Management Console, right click
Certificates and select All Tasks > Import option.
The new certificate has been successfully imported.
Now open PowerShell and run the command for changing the
certificate:
 Set-WebApplicationProxySslCertificate –Thumbprint
<ThumbprintCertificate>
PS C:\> Set-WebApplicationProxySslCertificate –Thumbprint
e8fd5016542796214e94f72d76095f9fc587c731
The command has been executed.
A not well documented step is also necessary to complete the overall
procedure. Checking the WAP Application certificate, the
ExternalCertificateThumbprint is still pointing to the old Thumbprint.
Take note also of the value in the ID field.
PS C:\> Get-WebApplicationProxyApplication | fl
From the AD FS server, double checking the AD FS certificate you can
recognize the AD FS Thumbprint is different from the WAP External
Certificate.
PS C:\> Get-AdfsSslCertificate
To update also the WAP Application certificate, from the WAP Server
PowerShell console run the following command:
 Set-WebApplicationProxyApplication –
ExternalCertificateThumbprint <ThumbprintCertificate>
PS C:\> Set-WebApplicationProxyApplication –
ExternalCertificateThumbprint
e8fd5016542796214e94f72d76095f9fc587c731
You can get the required ID value by running the command GetWebApplicationProxyApplication | fl (as we previously did). Just copy
and paste the code.
Checking the WAP Application certificate once again, the External
Certificate now reports the correct Thumbprint.
PS C:\> Get-WebApplicationProxyApplication | fl
When you manually update the AD FS certificates, you must update
the Office 365 domain as well. Accessing the Event Viewer in the AD FS
server you may find the certificate is pointing to a wrong
Thumbprint due to not updated certificates in Office 365 domain.
Manually update the AD FS certificates
To update your Office 365 domain you must use PowerShell command.
Run the following command and enter your cloud service Administrator
account credentials to access the cloud service:
PS C:\ $cred=Get-Credential
Connect the cloud service.
PS C:\ Connect-MsolService –Credential $cred
Run the following command to check the current signing certificates in
AD FS:
PS C:\ Get-ADFSCertificate –CertificateType token-signing
In the example, the displayed Thumbprint is associated to an expired
certificate. To generate a new certificate run the command:
PS C:\> Update-ADFSCertificate –CertificateType token-signing
Verify the update to check if the certificate has been created.
PS C:> Get-ADFSCertificate –CertificateType token-signing
A primary and a secondary certificates have been created with new
Thumbprint values. In AD FS Management Console the new certificates
are displayed under Token-signing area.
Whilst the local AD FS authentication starts working again, trying to
connect Office 365 the access to web application can't be completed.
Looking at the Event Viewer, the WAP server is not able to contact the
AD FS server.
The AD FS server reports is not possible for WAP server to authenticate.
This scenario occurs when the trust relationship between AD FS and
WAP servers is broken.
Re-establish trust between WAP and AD FS
From WAP server, retrieve the list of installed certificates with the
command:
PS C:\ Get-ChildItem -path cert:\LocalMachine\My
The error displayed in the Event Viewer reports that the trusted
certificate begins with Thumbprint BB59AB2 while the
imported certificate begins with 369083A.
To re-establish trust between AD FS and WAP, on the WAP server run
the following command entering the local Domain Administrator
account credentials (es. NOLABNOPARTY\Administrator):
 Install-WebApplicationProxy -CertificateThumbprint
<ThumbprintCertificate> -FederationServiceName
<sts.domain.com>
PS C:\ Install-WebApplicationProxy -CertificateThumbprint
e8fd5016542796214e94f72d76095f9fc587c731 -FederationServiceName
sts.nolabnoparty.com
The configuration is being performed in the system.
When the process has completed, the system displays the message
DeploymentSucceded.
Under Token-decrypting area the Expiration Date of the certificate is
now shown as valid.
The trust between WAP and AD FS has been restored as confirmed in
the Event Viewer.
The access to Office 365 environment is now restored and user can
access their emails again. Keep in mind to check your certificates
expiration date on regular basis to avoid service interruption.
 Tweet
 Telegram
 Share
 Share
 Pin it
 WhatsApp
Related Posts
Enable SQL Server when the Password expiry
evaluation period has
notification at logon in
expired
Windows 7
Office 365: upgrade DirSync
to Azure AD Connect
Windows DC boots in safe
mode after full restore
Finding the Active Directory Office 365 ADFS error
schema version
"AADSTS50008: Unable to
verify token signature."
About The Author
Paolo Valsecchi
System Engineer, VCP-DCV, VCP-DM, vExpert, VMCE,
VMCA, Veeam Vanguard, ACE. Working experience
focused on VMware vSphere, Omnissa Horizon,
Microsoft Active Directory, and Backup/DR solutions.
One Response
Bjorn Houben 23/04/2018
Thanks a lot. Great documentation.
LATEST POSTS
Monitoring Proxmox with InfluxDB and
Grafana
Deploy the Omnissa Edge Gateway
Veeam v12.3.2.4165 patch
Nakivo Backup and Replication v11.1
released
YOUTUBE
Latest video published on my channel.
ABOUT ME
My
I'm
Th
virt
technologies but
and Networking.
You can find deta
and product revie
Packaging an application with Omnissa App
Volumes
Proxmox VE 8 to 9 upgrade guide
FOLLOW ME
Nakivo v11.0.4 with vSphere 9 support

Omnissa Horizon enable copy and
paste from Published Apps
Nolabnoparty Copyright © 2025.
English
Italiano

