Updating SSL Certificates on Active Directory Federation Services (ADFS) Server

Scripted Version Notes:

Part 1: Adding Cert to ADFS Server

# Import Cert and get its thumbprint
$certPath="C:\wildcard_kimconnectcom.pfx"
$certPlaintextPassword='PASSWORDHERE'
$certEncryptedPassword=ConvertTo-SecureString $certPlaintextPassword -AsPlainText -Force
$importedCert=Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath $certPath -Password $certEncryptedPassword
$importedCertThumbprint=$importedCert.Thumbprint

# Get service account running adfs
$adfsService=Get-Wmiobject win32_service|where-object{$_.name -eq 'adfssrv'}
$adfsRunasUser=$adfsService.StartName

# Grant permissions
$certLocation='Cert:\LocalMachine\My'
$permissions='full'
$access='allow'
$rule = new-object security.accesscontrol.filesystemaccessrule $adfsRunasUser,$permissions,$access
$root = "c:\programdata\microsoft\crypto\rsa\machinekeys"
$thisCert = ls $certLocation|? {$_.thumbprint -eq $importedCertThumbprint}
$keyname = $thisCert.privatekey.cspkeycontainerinfo.uniquekeycontainername
$keyPath = [io.path]::combine($root, $keyname)
if ([io.file]::exists($keyPath)){
	$acl = get-acl -path $keyPath
	$acl.addaccessrule($rule)
	write-host $keyPath
	set-acl $keyPath $acl
}else{
	write-warning "$keyPath NOT Found!"
}

# Add Public Cert to ADFS Server
# Note: changes made in the GUI would not change the configuration based on the HTTP.sys. Hence, the configuration cmdlets below are necessary
# Set-ADFSCertificate -Thumbprint $importedCertThumbprint # This command deals with local certs
Set-AdfsSslCertificate -Thumbprint $importedCertThumbprint
Set-AdfsCertificate -CertificateType 'Service-Communications' -Thumbprint $importedCertThumbprint
#Set-ADFSCertificate -IsPrimary -CertificateType 'Token-Decrypting' -Thumbprint $importedCertThumbprint
#Set-ADFSCertificate -IsPrimary -CertificateType 'Token-Signing' -Thumbprint $importedCertThumbprint
# Set-ADFSCertificate : PS0010: You must add the certificate before you can set it to be the primary certificate.
# At line:1 char:1
# + Set-ADFSCertificate -IsPrimary -CertificateType 'Token-Decrypting' -Thumbprint $ ...
# + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#     + CategoryInfo          : InvalidArgument: (:) [Set-AdfsCertificate], ArgumentException
#     + FullyQualifiedErrorId : PS0010,Microsoft.IdentityServer.Management.Commands.SetCertificateCommand
# Set-ADFSProperties -AutoCertificateRollover $true # This is applicable to Token-Signing & Token-Decrypting local machine certs
Restart-Service ADFSSRV # restart-service $adfsService.Name
# Update-ADFSCertificate -CertificateType token-signing # Optional

# Validation
Get-AdfsSslCertificate # Check SSL certs
Get-ADFSCertificate -CertificateType token-signing # Check token signing cert

Part 2: Adding Cert to Web Application Server

# Import Cert to WAP Server
$certPath="C:\wildcard_kimconnectcom.pfx"
$certPlaintextPassword='PASSWORDHERE'
$certEncryptedPassword=ConvertTo-SecureString $certPlaintextPassword -AsPlainText -Force
$importedCert=Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath $certPath -Password $certEncryptedPassword
$importedCertThumbprint=$importedCert.Thumbprint
Set-WebApplicationProxySslCertificate -Thumbprint $importedCertThumbprint

# Non-public Cert deployment - only applicable
# Install-WebApplicationProxy -CertificateThumbprint $importedCertThumbprint -FederationServiceName sts.kimconnect.com

# Validate
$externalCertThumbprint=(Get-WebApplicationProxyApplication).ExternalCertificateThumbprint
if($externalCertThumbprint -eq $importedCertThumbprint){
    write-host 'Success'
}else{
    write-host "External Cert thumbprint $externalCertThumbprint doesn't match $importedCertThumbprint"
}

Legacy Notes…

1. Adding Tool to enable AD-FS claims visbility:

# Add ClaimsXray 
$authzRules = "=>issue(Type = `"http://schemas.microsoft.com/authorization/claims/permit`", Value = `"true`"); "
$issuanceRules = "@RuleName = `"Issue all claims`"`nx:[]=>issue(claim = x); "
$redirectUrl = "https://adfshelp.microsoft.com/ClaimsXray/TokenResponse"
$samlEndpoint = New-AdfsSamlEndpoint -Binding POST -Protocol SAMLAssertionConsumer -Uri $redirectUrl
Add-ADFSRelyingPartyTrust -Name "ClaimsXray" -Identifier "urn:microsoft:adfs:claimsxray" -IssuanceAuthorizationRules $authzRules -IssuanceTransformRules $issuanceRules -WSFedEndpoint $redirectUrl -SamlEndpoint $samlEndpoint

2. Check IDP: use a browser to navigate to

3. Updating Self Signed Certs:

# Check Self Signed Certificates of ADFS. If AutoCertificateRollover = True, do nothing as certs will auto roll.
PS C:\Windows\system32> get-adfsproperties

AcceptableIdentifiers : {}
AddProxyAuthorizationRules : exists([Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value
== "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"]) => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit", Value =
"true");
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^AD AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore
",types=("http://schemas.micr
osoft.com/authorization/claims/permit"),query="isProxyTrustManagerSid({0})
", param=c.Value );
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid",
Issuer =~ "^SELF AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore
",types=("http://schemas.micr
osoft.com/authorization/claims/permit"),query="isProxyTrustProvisioned({0}
)", param=c.Value );
ArtifactDbConnection : Data Source=tor-sql-node02.corp.kimconnect.com;Initial
Catalog=AdfsArtifactStore;Integrated Security=True;Min Pool Size=20
AuthenticationContextOrder : {urn:oasis:names:tc:SAML:2.0:ac:classes:Password,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,
urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateSharingContainer : CN=af389bbd-b0c0-405c-b965-bca5e7aa02e5,CN=ADFS,CN=Microsoft,CN=Program
Data,DC=corp,DC=kimconnect,DC=com
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson : Microsoft.IdentityServer.Management.Resources.ContactPerson
DisplayName : kimconnect
IntranetUseLocalClaimsProvider : False
ExtendedProtectionTokenCheck : Allow
FederationPassiveAddress : /adfs/ls/
HostName : sts.kimconnect.com
HttpPort : 80
HttpsPort : 443
TlsClientPort : 49443
Identifier : 
InstalledLanguage : en-US
LogLevel : {Errors, Information, Verbose, Warnings}
MonitoringInterval : 1440
NetTcpPort : 1501
NtlmOnlySupportedClientAtProxy : True
OrganizationInfo :
PreventTokenReplays : True
ProxyTrustTokenLifetime : 21600
ReplayCacheExpirationInterval : 60
SignedSamlRequestsRequired : False
SamlMessageDeliveryWindow : 5
SignSamlAuthnRequests : False
SsoLifetime : 480
PersistentSsoLifetimeMins : 10080
KmsiLifetimeMins : 1440
PersistentSsoEnabled : True
PersistentSsoCutoffTime : 1/1/0001 12:00:00 AM
KmsiEnabled : False
LoopDetectionEnabled : True
LoopDetectionTimeIntervalInSeconds : 20
LoopDetectionMaximumTokensIssuedInInterval : 5
PasswordValidationDelayInMinutes : 60
SendClientRequestIdAsQueryStringParameter : False
WIASupportedUserAgents : {MSAuthHost/1.0/In-Domain, MSIE 6.0, MSIE 7.0, MSIE 8.0...}
ExtranetLockoutThreshold : 2147483647
ExtranetLockoutEnabled : False
ExtranetObservationWindow : 00:30:00
GlobalRelyingPartyClaimsIssuancePolicy : c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isre
gistereduser"] => issue(claim = c);c:[Type ==
"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"]
=> issue(claim = c);
PromptLoginFederation : FallbackToProtocolSpecificParameters
PromptLoginFallbackAuthenticationType : urn:oasis:names:tc:SAML:1.0:am:password

4. Updating Public Certs:
– Add new public Cert into Local Machine
– Check Public Certificates of Local Machine

PS C:\Windows\system32> dir cert:LocalMachine\My
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert...
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ CN=ADFS01, CN=2a362dd8-a989-4573-b06c-b9515bfe5448, OU=Microsoft ADFS ...
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ CN=ADFS01, CN=2a362dd8-a989-4573-b06c-b9515bfe5448, OU=Microsoft ADFS ...
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ CN=*.kimconnect.com, O="Kim Connect, Inc.", L=Torrance, S=CA, C=US
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ CN=ADFS Encryption - sts.kimconnect.com
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc...
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ CN=ADFS Signing - sts.kimconnect.com
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ CN=ADFS01, CN=2a362dd8-a989-4573-b06c-b9515bfe5448, OU=Microsoft ADFS ...

# Check Certificate association on ADFS

PS C:\Windows\system32> get-adfssslcertificate

HostName PortNumber CertificateHash
-------- ---------- ---------------
localhost 443 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
sts.kimconnect.com 443 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
sts.kimconnect.com 49443 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
localhost 444 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
sts.kimconnect.com 444 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ

# Update Pulblic Certificates in ADFS
set-adfssslcertificate -thumbprint <your newcert thumbprint>

5. Validate Relying Party Trusts
– CRM Claims Relying Party:
— Purpose: CRM main login authentication
— Pull federation metadata from
— Claim Rules: Pass through UPN, Pass Through Primary SID, Transform Windows Account Name
– CRM IFD Relying Party:
— Purpose: CRM sub-modules authentication
— Pull federation metadata from
— Claim Rules: Pass through UPN, Pass Through Primary SID, Transform Windows Account Name