question

MikeMurphy-5799 avatar image
0 Votes"
MikeMurphy-5799 asked piaudonn commented

ADFS Communication Certificate Question

Hi,

The Communication certificate on our ADFS (server 2012 R2) has been expired for 2 years and does not appear to be negatively impacted at all by it. I still want to change it. Most docs say that the IIS Certificate and the Communication Certificate should be the same Cert. In our environment we use an alias DNS for convenience so the binding is not our server FQDN. Its a truncated DNS name. The IIS Cert is a valid wildcard for the truncated name. Example

FQDN Domain name: <adfs-servername>.part1.part2.part3.com
Truncated alias name: adfs.part2.part3.com

Question. Should I create a self signed subordinate cert for the communication cert using the FQDN or can I use the same wildcard cert so they match?

Thanks

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered

ADFS on Windows Server 2012 R2 does not use IIS.

If you have IIS installed in the same server with expired certificates, it is possible that there are not the one used by ADFS.

To know the current certificates used by ADFS, run the following command on the ADFS server:

 Get-AdfsCertificate -CertificateType Service-Communications

It should be the same you see in the output of this other command that is telling you what certificate is used in the HTTP/TLS binding setting of your server:

 Get-AdfsSslCertificate

Instructions to update the TLS certificate can be found here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikeMurphy-5799 avatar image
0 Votes"
MikeMurphy-5799 answered piaudonn commented

The IIs Service is on and the SSL Cert that is in the bindings is Valid. It matches the DNS alias I mentioned and when I use the ADFS test url it returns a valid Cert and login window.

If I use the FQDN (expired Sevice Communication cert) url, It also returns a proper Login page but with the expired Cert Warning. Somehow, this server has been configure to use IIS for ADFS alias name, I believe.

The URL's are not the same. The Certs are not the same.

Test URL:
https://<ADFS FQDN>/adfs/ls/IdpInitiatedSignon.aspx

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IIS is not used with ADFS on Windows Server 2012 R2 evenif you have installed it, it is not used. ADFS is built on the top of the HTTP.sys. You have a configuration to fix here.

What is the output of the commands I mentionned? And what is the validatity of tha cert (the one with the thumprint in the output of these commands - we don't care about what IIS has).

0 Votes 0 ·

I see, Maybe somebody installed IIS because they didn't know another way to install an SSL Cert.

The 1st command returns the name of the FQDN Certificate. It has been expired for over 2 years. It's a wildcard cert from third party.
The second command returns the SSL cert that is also in IIS. It is a valid cert with a DNS alias name. It's a wildcard cert from a third party.

0 Votes 0 ·

So make sure you update the certificate to show the "real" cert in the GUI.

Use the following command:

 Set-AdfsCertificate -IsPrimary -CertificateType "Token-Signing" -Thumbprint ‎"<THUMBPRINT>"

Where "<THUMBPRINT>" is the thumbprint of the cert you see in the output of

 Get-ADFSSSLCertificate
0 Votes 0 ·