question

LydiaLeung-4921 avatar image
0 Votes"
LydiaLeung-4921 asked moinmohammed-4706 commented

Secondary ADFS ssl cert not updating

We have primary ADFS server on 2012r2 but secondary ADFS server on 2016. When Primary ADFS cert updated, the secondary ADFS cert is not updated automatically, yet it could not be set manually as it is 2016 secondary.
How can I update cert in 2016 secondary ADFS server in that case?
Regards,
Lydia

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered moinmohammed-4706 commented

To update the Service Communication certificate, you will have to:

  1. Import the new certificate in the machine store in each node. Make sure the virtual account NT SERVICE\ADFSSRV has the read permission on the private key.

  2. Run the following cmdLet only on the primary server:

    Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint <Thumprint of the newly imported certificate>

  3. Run the following on each ADFS server:

    Set-AdfsSslCertificate -Thumbprint <Thumprint of the newly imported certificate>





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This doesn't work. Its the same error message.

PS C:\Users\> Set-AdfsSslCertificate -Thumbprint 2416bccc5fd82323178dcb694372eeeb93610f5f
Set-AdfsSslCertificate : PS0033: This cmdlet cannot be executed from a secondary server in a local database farm. The
primary server is presently: adfs2019wid. To execute management cmdlets, either log onto the primary server or connect
using PowerShell remoting. For more information see https://go.microsoft.com/fwlink/?LinkId=294129.
At line:1 char:1
+ Set-AdfsSslCertificate -Thumbprint 2416bccc5fd82323178dcb694372eeeb93 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Set-AdfsSslCertificate], InvalidOperationException
+ FullyQualifiedErrorId : PS0033,Microsoft.IdentityServer.Management.Commands.SetSslCertificateCommand

0 Votes 0 ·