m (9 revisions imported) |
|||
| Line 31: | Line 31: | ||
https://adfshelp.microsoft.com/DiagnosticsAnalyzer/Analyze | https://adfshelp.microsoft.com/DiagnosticsAnalyzer/Analyze | ||
==Update Token Signing Certificate== | ==Update Token Signing Certificate - For entra ID== | ||
[https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-o365-certs MS Documentation] | [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-o365-certs MS Documentation] | ||
| Line 54: | Line 54: | ||
If there are more than one federated domain you will need to update the token signing cert for all: | If there are more than one federated domain you will need to update the token signing cert for all: | ||
*'''Get-MsolDomain -Authentication Federated | % { Update-MsolFederatedDomain -DomainName $_.Name -SupportMultipleDomain }''' | *'''Get-MsolDomain -Authentication Federated | % { Update-MsolFederatedDomain -DomainName $_.Name -SupportMultipleDomain }''' | ||
== Update ADFS certificates == | |||
Service Communications certificate + web proxy | |||
[https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap Ms Learn Documentation] | |||
[https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-ad-fs-2-dot-0-service-communications MS Learn Service comms cert change] | |||
Revision as of 11:00, 14 March 2024
ADFS Issues
When SSO does not work on eg intranet login:
First check that the normal cert ( wild card ) hasn't expired via MMC on the WAP server
If all certs are fine, check IIS to see what cert is bound to the site and then double check this cert
In MMC double click the cert that it is bound to and take the hex key and paste in to notepad - removing all the spaces ( this is the certificate thumbprint )
Then in powershell on the WAP server(s) run the following command:
- Install-WebApplicationProxy –CertificateThumbprint "<certificate thumbprint>" -FederationServiceName <fs.domainname.com>
You will need to end the domain admin details, once complete you should get the following output:
Message Context Status ------- ------- ------ The configuration completed successfully. DeploymentSucceeded Success
If this fails, Then check the ADFS servers and reboot them ( reboots are not ideal )
ADFS tools
Use tool for troubleshooting:
Update Token Signing Certificate - For entra ID
This can be done manually if the auto rollover feature is not enable or if there are issues.
Check the ADFS token signing certificates:
- Get-ADFSCertificate –CertificateType token-signing
Generate a new certificate:
- Update-ADFSCertificate –CertificateType token-signing
To update the token signing certificate for Microsoft O365 you need to connect to the msol service(easist if done from the primary adfs server):
- $cred=Get-Credential
- Connect-MsolService –Credential $cred
then update the token signing certificate:
- Update-MSOLFederatedDomain –DomainName <domain>
If there are multiple domains add -SupportMultipleDomain switch. Check with the following command to list the domains:
- Get-MsolDomain
If there are more than one federated domain you will need to update the token signing cert for all:
- Get-MsolDomain -Authentication Federated | % { Update-MsolFederatedDomain -DomainName $_.Name -SupportMultipleDomain }
Update ADFS certificates
Service Communications certificate + web proxy