Changing certificate on AD FS and DRS

 

If you have AD FS with Device registration service (DRS) configured on your Windows Server 2012 R2, you might have experienced troubles if you decided to change the certificate on AD FS server. Although AD FS management console will allow you to change service certificate for AD FS, it will not let you change the SSL certificate, nor it will allow you to assign rights for group managed service account used by DRS to access the private key of the new certificate. As a result, change of AD FS service certificate only through the AD FS console will make your DRS stop working (and your devices incapable to perform Workplace Join). So, if you want to change this certificate, for whatever reason you have, there is a procedure to follow:

1. First, during certificate enrollment process for the new certificate make sure that you assign rights to access the private key. This is not very obvious thing to do, actually. When you start the certificate request procedure on your AD FS server, choose Web Server template, and then enter its properties to configure more settings. On the Subject tab, make sure that you type all names that you need. First, you need the name of your AD FS cluster (or server), for example, adfs.adatum.com. Make sure that this name is not the same like your AD FS server name. Also, you need this same name as SAN (Subject Alternative Name), and also enterpriseregistration and enterpriseenrollment SAN host names (second one is for Windows 10). See example below:

clip_image001

2. Then, go to the Private Key tab, expand Key Permissions and select Use custom permissions check box. Click Set permissions, then Add, and then select Service accounts as object type, and type your group managed service account that you created when you first configured DRS. See example below :

clip_image002

My group managed service account in this example is FsGmsa1 in Adatum.com domain. When you configure this, finish the enrollment of certificate.

Note : Make sure that this service account has SPN set to your ADFS cluster name. You can check that with following command : setspn –l adatum\FsGmsa1$. Result should something like this:

host/adfs.adatum.com
http/adfs.adatum.com

3. When you finish the certificate enrollment, while you still have Certificates console open, double click the new certificate. Go to Details tab, and scroll down to Thumbprint attribute. Copy the thumbprint value to Notepad, and remove spaces between pairs of characters.

4. Now you have to issue two PowerShell commands to setup new certificate to work with AD FS. First command is :

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint “your_new_certificate_thumbprint″ – this will set your new certificate as AD FS service certificate. This part you can also do by using AD FS Management console.

Second command will change your SSL certificate for AD FS (that’s the one you need for AD FS, and the one you can’t change with console):

Set-AdfsSslCertificate –Thumbprint “your_new_certificate_thumbprint″

When you finish this, you will be good to. Restart your AD FS and DRS services, and they should start successfully.

Author: ddamir

Damir Dizdarevic is a b.sc.math and IT professional. He works as a manager of MS CPLS Learning Center in Logosoft Sarajevo, and as a lecturer and author of MOC courses. Occasionally, he also works as a system designer for complex enterprise environments. He is a founding member and president of Bosnian Microsoft Community. He has been working with Microsoft platforms for the last 17 years and he is particularly specialized in Windows Server, Exchange Server, mobility and virtualization. Microsoft awarded him with the Most Valuable Professional – MVP status for his outstanding contribution in sharing knowledge about Microsoft Server products, large number of lectures he delivered, and for his high technical competence. Damir owns several technical certificates (MCSE, MCTS, MCITP, and MCT) for Windows Server 2012, 2008 R2, Exchange Server 2010, Security and Hyper-V. He is regular presenter on conferences in ex-Yu region. On Microsoft Sinergija conference, for previous 7 years, each time he was graded as one of top three speakers. On a Bosnian MS conference, he is the best speaker for last two years. He is also a regular and highly graded presenter on other Microsoft conferences in region such as NT Conference (Slovenia), Microsoft Vizija (Macedonia), Microsoft Windays (Croatia), MS Technet, Mobility Day, KulenDayz etc. Damir is one of very few trainers in Europe who works as an author and reviewer of official MOC courses. In previous year, he was authoring courses 20417 (Upgrading Skills to Windows Server 2012), 20414 (Implementing an Advanced Server Infrastructure), 20412( Configuring Advanced Windows Server 2012 Services) and 20410 (Installing and Configuring Windows Server 2012). Also, he was authoring System Center 2012 courses and currently he is working on Exchange Server 2013 and Windows Server 2012 R2 courses. In addition, he has been working for 16 years now as one of the editors of BiH IT magazine INFO, where he published more than 300 technical articles, and he is also writing for the famous Windows ITPro Magazine (some of his work can be found at: http://windowsitpro.com/author/damir-dizdarevic).

Leave a Reply

Your email address will not be published. Required fields are marked *