Category Archives: ADFS

Steps to renew the SSL Service Communication certificate in ADFS server

This article explains types of certificates present in ADFS server and  the steps to renew the SSL service communication certificate from ADFS server.

Basically there are 3 types of certificate required for ADFS certificate-

  1. Service Communication certificate – This certificate will be used for the secure communications between the web clients(web clients,federated servers,web application proxy and federated server proxy).The service communication certificate will be issued to the end users when they are redirected to the ADFS page by the application. Its always recommended to have a public SSL for this service communication certificate because it needs to be presented to the end users when redirected to ADFS page.
  2. Signing Certificates- Signing certificates will be used to sign the SAML token.When signed all the  data within the token will be readable in clear-text but when the consumer receives the token it knows that the token has not be tampered from the source. If it finds them to be tampered then it will not accept.Token Signing Can be done only with private portion which only the ADFS server will be having.
    This is the certificate used to sign only the SAML tokens.Token validation will be done with public portion of this certificate which will be available in the ADFS metadata. ADFS certificates will have one default self signed signing certificate which has validity of 1 year and this can be extended. Or we can generate one from internal CA and assign them.
  3. Token Decryption Certificate-  This certificate will be used when the application will be sending the encrypted tokens to the ADFS server.With this it will not sign the token but only encrypt the token. The application will encrypt the token by using the public part of the token decryption certificate. The ADFS server only will be having the private part of the key which it will be using to decrypt the token. ADFS certificates will have one default self signed token decryption certificate which has validity of 1 year and this can be extended. Or we can generate one from internal CA and assign them.

We can see the public certificate from the published ADFS  metadata.

Access the metadata url in browser. look for X509 that has values that ends with “=” sign.It’s base64 encoded so it will normally end with an “=” sign.

Testtr

We can see multiple x509 values. The public certificate is  base64 encoded so it will normally end with an “=” sign at the end like example below.

Testtr1

 

Once after we save them in .crt format we can see the public certificate which will be present in the ADFS metadata URL. So by using this the application will encrypt the token and send them to ADFS server. The ADFS server in turn can decry-pt this by using this certificate private key. This certificate private key will be present only with the ADFS server.Just in case if this private key is compromised then anybody can impersonate as your ADFS server

Testtr1

We can more or less verify the encryption on our own to get a better understanding of how it works.
When we do a SAML-trace in Firefox developer edition against a Relying Party we have with ADFS when we check the SAML-token, we will see that the saml:p response to the integrated service provider will be encrypted.

Below steps can be followed to renew the communication certificate

  1. Generate CSR from ADFS server. This can be done via IIS.
  2. Get the certificate issued from the public CA Portal.
  3. Once certificate is issued, add new certificate in Certificate store.
  4. Verify Private Key on the certificate. Make sure new certificate has the private key.
  5. Assign Permissions to the Private Key for ADFS service account. Right click on the certificate, click manage private keys, add ADFS service account and assign permissions as shown in below screenshot.

Untitled

6. From ADFS console select “Set Service Communication Certificate”

7.Select new certificate from prompted list of certificates.

To renew the SSL certificate for ADFS claims providers federation metadata URL can follow the previous article – https://exchangequery.com/2018/01/25/renew-ssl-certificate-for-adfs-url/

 

Renew SSL certificate for ADFS URL

This document outlines the steps to renew the SSL certificate for ADFS claims providers federation metadata URL

1) To take the application ID and the certificate hash run the below command.

netsh http show sslcert

ADFS1

copy only application id value. This we require for the certificate renewal. Better to take a copy of this results.

2) Run this command to see the ADFS listners

netsh http show urlacl 

ADFS2

This is just to take a copy of the ACL url’s before the certificate renewal. This part is so sensitive because ADFS will have some URL reservations in the HTTP.SYS. This will help us just in case if we face any issues after the certificate renewal.

3) Delete the old certificates –

$Command = “http delete sslcert hostnameport=adfs.exchangequery.com:443”
$Command | netsh

$Command = “http delete sslcert hostnameport=adfs.exchangequery.com:49443”
$Command | netsh

$Command = “http delete sslcert hostnameport=localhost:443”
$Command | netsh

$Command = “http delete sslcert hostnameport=EnterpriseRegistration.exchangequery.com:443”
$Command | netsh

4) Delete the old hostIP and port entries:

$Command = “http delete sslcert hostnameport=0.0.0.0:443”
$Command | netsh

5) Now we can add the new certificates:

Prerequisite:

Take the APP id which was noted down in the step 1

Take the certificate Hash – This can be taken from the new certificate thumbprint

example below –  remove all the spaces and copy the new certificate hash value.

ADFS3

# APP ID
$guid = “paste the appid here”

# Cert Hash
$certhash = “paste the certificatethumbprint”

To renew actual metadata URL:

$hostnameport = “adfs.exchangequery.com:443”
$Command = “http add sslcert hostnameport=$hostnameport certhash=$certhash appid={$guid} certstorename=MY sslctlstorename=AdfsTrustedDevices clientcertnegotiation=disable”
$Command | netsh

To renew localhost:

$hostnameport = “localhost:443”
$Command = “http add sslcert hostnameport=$hostnameport certhash=$certhash appid={$guid} certstorename=MY sslctlstorename=AdfsTrustedDevices clientcertnegotiation=disable”
$Command | netsh

To renew Device Registrations:

$hostnameport = “adfs.exchangequery.com:49443”
$Command = “http add sslcert hostnameport=$hostnameport certhash=$certhash appid={$guid} certstorename=MY clientcertnegotiation=enable”
$Command | netsh

The above is required because Changes were made in ADFS on Windows Server 2012 R2 to support Device registration and happens on port 49443.

$hostnameport = “EnterpriseRegistration.exchangequery.com:443”
$Command = “http add sslcert hostnameport=$hostnameport certhash=$certhash appid={$guid} certstorename=MY sslctlstorename=AdfsTrustedDevices clientcertnegotiation=disable”
$Command | netsh

The above is also  required for device registration service.

Hope this helps.

Easy Migration steps from ADFS 2.1 to 4.0

In this article we will have a look at steps to migrate from ADFS 2.1 to 4.0 which has been used for on-premise web based claim aware applications.

Things to perform on the ADFS 2.1 Server :
1) Export the Config Data

The config data can be exported with the scripts located in the \support\adfs folder on the Windows Server 2016 installation CD:

adfs1
Mount the Windows 2016 Media
Export and backup the AD FS configuration data with the below script on a safe folder location
export-federationconfiguration.ps1 -path c:\adfs2backup

2) Export the certificate with the private key from the ADFS 2.1 personal store.

There are few ways to export the certificate along with the private key.We can export the certificate through DigicertUtil along with the private key from the personal store from this ADFS 2.1 Server.
3) Make a note of the account on which the ADFS Windows service is running .
This is very important and required during the installation of ADFS 4.0.

Go to local services ADFS Windows Service – Make a note of the logon account name

4)  Make a note of the edit Federation Service properties

Open ADFS management – Edit Federation service properties – General – Organizational – Events. This is required in the configuration of the federation service on the new ADFS 4.0 farm.

Things to perform on the ADFS 4.0 new server:

1)Import the certificate along with the private key on the new ADFS 4.0 server.

We can use the MMC certificates snap in and import the PFX format certificate that was exported from the old ADFS server. This procedure should be done before installing the ADFS 4.0 role.
2)Install the ADFS services role on this new computer and click configure.

Note:
In AD FS 2.1, we had to download and install the AD FS 2.1 software to deploy the AD FS server infrastructure.
From Windows server 2012 this component is present as a role in the server manager which provided improved configuration wizard which will automatically list and install the services that required during the installation.

a) From the server manager choose ADFS role

b) Select Create the first federation server in a federation farm

adfs1

Select a domain admin account to install ADFS. Its not mandatory to provide the ADFS service account in this page.

adfs1

c) In the next page select the certificate just imported to the personal store

Enter the federation service display name as is it was present on the ADFS 2.1

adfs1

For the service account enter the exact service account name and the password present in ADFS 2.1

adfs1
e) In the database field specify the database either WID database or the new SQL database on this new server according to the configuration.

adfs1

After specifying the database we can click on next post which the ADFS4.0 will be configured successfully .

adfs1

3) Now import the federation data that was exported from the old ADFS 2.1
run import-federationconfiguration.ps1 -path  c:\adfs2backup

After the import configuration is completed we would be able to see the ADFS configuration as is it was present in the previous server.

4)  Enable IDP initiated sign on page by running the below command.

(get-adfsproperties).EnableIDInitiatedSignonPage

Verify the new ADFS Farm:

Verifying the new ADFS farm is very much important before we decommission the old farm.

Make a host entry directly to this  new ADFS 4.0 server which consumes the ADFS service and visit the IDP initiated sign on page and make sure the application is able to reach the IdpInitiatedSignOn.aspx page .

Example below :

https://adfs.exchangequery.com/adfs/ls/idpinitiatedsignon.aspx

Good to Know:

1) ADFS on Windows Server 2012 R2 uses the SNI (server name indication) extension of SSL. This means that we  need to reach the IdpInitiatedSignon.aspx page with the exact URL of the ADFS farm. So if the ADFS server is ADFS01.exchangequery.com with the IP address 10.34.42.11 and the name of the farm is adfs.exchangequery.com, the following apply:

https://adfs01.exchangequery.com/adfs/ls/idpinitiatedsignon.aspx does not work (TCP RST will be sent to terminate the TLS negotiation)

https://10.34.42.11/adfs/ls/idpinitiatedsignon.aspx does not work (TCP RST will be sent to terminate the TLS negotiation)

https://adfs.exchangequery.com/adfs/ls/idpinitiatedsignon.aspx works

2) ADFS 4.0 no longer uses IIS, so do not install IIS as a part of the prerequisite during the installation. ADFS 4.0 can be published via windows server web application proxy server.

3) Windows Server 2016 has the ability to perform an in-place upgrade of Active Directory Federation Services (ADFS) from 3.0 to 4.0. All we need to do is introduce the new ADFS 4.0 in the existing ADFS 3.0 farm (mixed farm) make them primary and then decommission the old 3.0 servers.But this option is not available if we are running ADFS 2.1 farm.

Thanks & Regards 
Sathish Veerapandian
MVP – Office Servers & Services

%d bloggers like this: