Line 55: | Line 55: | ||
*'''Get-MsolDomain -Authentication Federated | % { Update-MsolFederatedDomain -DomainName $_.Name -SupportMultipleDomain }''' | *'''Get-MsolDomain -Authentication Federated | % { Update-MsolFederatedDomain -DomainName $_.Name -SupportMultipleDomain }''' | ||
== Update ADFS certificates == | == Update ADFS service communications certificates == | ||
Service Communications certificate + web proxy | Service Communications certificate + web proxy | ||
[https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap Ms Learn Documentation] | [https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap Ms Learn Documentation] | ||
[https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-ad-fs-2-dot-0-service-communications MS Learn Service comms cert change] | On Main ADFS Server import certificate and ensure that the adfs service account has permissions to the private key in cert manager:<syntaxhighlight lang="powershell"> | ||
Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>' | |||
</syntaxhighlight>Then on ADFS Proxy (WAP) Servers:<syntaxhighlight lang="powershell"> | |||
Set-WebApplicationProxySslCertificate -Thumbprint '<thumbprint of new cert>' | |||
</syntaxhighlight>If the cert has expired or there are issues binding it then you will need to re-install the web application proxy:<syntaxhighlight lang="powershell"> | |||
$cred = Get-Credential #use admin account on main adfs server | |||
Install-WebApplicationProxy -FederationServiceTrustCredential $cred -CertificateThumbprint '<thumbprint of new cert>' -FederationServiceName 'fs.contoso.com' | |||
</syntaxhighlight>[https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-ad-fs-2-dot-0-service-communications MS Learn Service comms cert change] |
Latest revision as of 11:05, 14 March 2024
ADFS Issues
When SSO does not work on eg intranet login:
First check that the normal cert ( wild card ) hasn't expired via MMC on the WAP server
If all certs are fine, check IIS to see what cert is bound to the site and then double check this cert
In MMC double click the cert that it is bound to and take the hex key and paste in to notepad - removing all the spaces ( this is the certificate thumbprint )
Then in powershell on the WAP server(s) run the following command:
- Install-WebApplicationProxy –CertificateThumbprint "<certificate thumbprint>" -FederationServiceName <fs.domainname.com>
You will need to end the domain admin details, once complete you should get the following output:
Message Context Status ------- ------- ------ The configuration completed successfully. DeploymentSucceeded Success
If this fails, Then check the ADFS servers and reboot them ( reboots are not ideal )
ADFS tools
Use tool for troubleshooting:
Update Token Signing Certificate - For entra ID
This can be done manually if the auto rollover feature is not enable or if there are issues.
Check the ADFS token signing certificates:
- Get-ADFSCertificate –CertificateType token-signing
Generate a new certificate:
- Update-ADFSCertificate –CertificateType token-signing
To update the token signing certificate for Microsoft O365 you need to connect to the msol service(easist if done from the primary adfs server):
- $cred=Get-Credential
- Connect-MsolService –Credential $cred
then update the token signing certificate:
- Update-MSOLFederatedDomain –DomainName <domain>
If there are multiple domains add -SupportMultipleDomain switch. Check with the following command to list the domains:
- Get-MsolDomain
If there are more than one federated domain you will need to update the token signing cert for all:
- Get-MsolDomain -Authentication Federated | % { Update-MsolFederatedDomain -DomainName $_.Name -SupportMultipleDomain }
Update ADFS service communications certificates
Service Communications certificate + web proxy
On Main ADFS Server import certificate and ensure that the adfs service account has permissions to the private key in cert manager:
Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'
Then on ADFS Proxy (WAP) Servers:
Set-WebApplicationProxySslCertificate -Thumbprint '<thumbprint of new cert>'
If the cert has expired or there are issues binding it then you will need to re-install the web application proxy:
$cred = Get-Credential #use admin account on main adfs server
Install-WebApplicationProxy -FederationServiceTrustCredential $cred -CertificateThumbprint '<thumbprint of new cert>' -FederationServiceName 'fs.contoso.com'