This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Everyone,
I'm configuring Windows Server 2016 Active Passive ADFS server, the primary ADFS server ADFS01-VM has been set up fine using the steps in https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-the-ad-fs-role-service
The SSL SAN certificate *.domain.com has been imported with no issue on the primary server.
However, moving on to the secondary server called ADFS02-VM the error showing like below screenshot:
Screenshot URL: https://i.imgur.com/oiyLsC1.png
I have also executed the steps described in https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-support-for-alternate-hostname-binding-for-certificate-authentication
Under the Primary DFS server ADFS01-VM PowerShell ISE as Administrator:
Set-AdfsAlternateTlsClientBinding -Member ADFS02-VM.DOMAIN.com -Thumbprint 'B6DA73B83A759DEE37F975668266FE92B4E5F788'
This is the error message:
Set-AdfsAlternateTlsClientBinding :
PS0317: One or more of AD FS servers returned errors during execution of command 'Set-AdfsAlternateTlsClientBinding'.
Error information:
PS0316: AD FS Server: 'localhost', Error: 'The specified SSL certificate with thumbprint 'B6DA73B83A759DEE37F975668266FE92B4E5F788' does not meet the requirements for configuring alternate Tls Client binding. For more information see http://go.microsoft.com/fwlink/?LinkId=613586.'.
PS0316: AD FS Server: 'ADFS02-VM.DOMAIN.com', Error: 'The specified SSL certificate with thumbprint 'B6DA73B83A759DEE37F975668266FE92B4E5F788' does not meet the requirements for configuring alternate Tls Client binding. For more information see http://go.microsoft.com/fwlink/?LinkId=613586.'.
At line:1 char:1
+ Set-AdfsAlternateTlsClientBinding -Member ADFS02-VM.DOMAIN.com -Th ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-AdfsAlternateTlsClientBinding], RemoteException
+ FullyQualifiedErrorId : RuntimeException,Microsoft.IdentityServer.Management.Commands.SetAlternateTlsClientBinding
Your help would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi @EnterpriseArchitect , could you confirm if you have certauth.federationame in the subject alternative name of the certificate?
Hi @Abhijeet-MSFT , No, the SSL certificate covers wildcard *.domain.com
The warning you see above is because certuath.sts is not present in the SAN of the certificate. This is also documented at https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-support-for-alternate-hostname-binding-for-certificate-authentication#how-to-configure-alternate-host-name-binding-for-certificate-authentication. I would suggest that you add certauth in san and try again.