Microsoft Active Directory Federation Services is a robust single sign-on solution that relies on certificates to maintain security amongst the environments for which it is configured to provide authentication for. The infrastructure design includes on-premises federation servers and web application proxy servers that are deployed in an edge network. The communication between these servers and the authentication tokens they issue are secured by certificates. By nature, certificates will eventually expire. Should this happen while the certificate is being utilized by ADFS then user sign in attempts will start failing immediately. To prevent this clearly undesirable situation, ADFS certificates must be renewed and redeployed from time to time and this blog will walk through the high-level steps to get that task accomplished. It should be noted that this writeup is covering server authentication certificate renewal through a public Certificate Authority – the certificates that are used to sign the authentication tokens are self-signed and should automatically renew.

Certificate Renewal and Re-keying

To extend the life of the ADFS certificate we must request a renewal through our public Certificate Authority (i.e., GoDaddy, DigiCert, etc). Each vendor will have a slightly different process but the certificate in question should be shown in your product list with an option to renew it. Reach out to your vendor’s support team if you are having trouble with renewal and they’ll either assist with the renewal over the phone or direct you to the proper place in their portal. Once the certificate has been renewed, we must rekey it with a new Certificate Signing Request (CSR) so that we may successfully export the public/private key pair for use in the ADFS environment. To generate the CSR, log onto the primary ADFS federation server and do the following:
1. Open Server Manager and click Tools
2. Select Internet Information Services (IIS) Manager
3. In IIS Manager on the Connections pane highlight the server object
4. Select Server Certificates from the center pane

5. Select Create Certificate Request from the Actions pane on the right-hand side of the window

6. In the Request Certificate wizard enter the information for the certificate that is being rekeyed

7. On the Cryptographic Service Provider page select RSA and 2048

8. On the File Name page specify a save location and a name for the certificate request

9. Click Finish

10. Navigate to the location where you just saved the CSR, open with Notepad, and copy all text between the BEING/END markers

Figure 5: Certificate Signing Request

At this point, you will want to take the copied CSR back to your public Certificate Authority’s portal to
submit the signing request. Once that is complete, your new key will be available for download. When it
becomes available download the IIS version of the key so that we can take that and complete the
signing request on the primary ADFS server from which we generated the CSR.

MessageOps can assist you with ADFS services. Contact Us.

Certificate Signing Request Completion

After retrieving the signed certificate request from your public Certificate Authority, you will want to take that file and use it to complete the CSR on the primary ADFS controller on which the CSR was created. That allows us to get a .pfx export of the new certificate that we can use to install the new certificate on the rest of our server farm. To do so follow these steps:

1. Log on to the primary ADFS controller where the CSR was initially generated
2. In the Connections pane highlight the name of the server you are logged on to
3. Select Server Certificates from the center pane
4. Select Complete Certificate Request from the right-hand Actions pane

5. Browse to the rekeyed file that was downloaded from the CA then give it a friendly name

6. Click OK and the new certificate should show in the refreshed Certificate MMC

Certificate Export and Installation

Now that the new certificate has been installed on the primary ADFS controller it can be exported and installed on the remaining federation and web application proxy servers in the ADFS environment.

1. Open MMC on the primary ADFS controller
2. Add the Certificate snapin for the Computer Account from the file menu
3. Drill into Certificates à Personal à Certificates
4. Right-click on the new certificate (check the expiration date and friendly name) and click Export
5. On the initial page of the Export Wizard click Next
6. On the Export Private Key page select Yes, export the private key then click Next

7. Choose to Include all certificates in the path if possible then click Next

8. Check the box next to Password and give the wizard a strong password

9. Choose where to save the new .pfx file

10. Click Finish

11. Copy the new .pfx file to the desktops of all other federation and web application proxy

12. Once copied right click on the .pfx file and click Install PFX

13. The new cert is now ready to be enabled for the ADFS environment

Enabling the New Certificate on Remaining Servers

Now that the .pfx has been installed on each of the ADFS and WAP servers it needs to be configured for use be the ADFS service. This is accomplished using the PowerShell commands below:

1. Open MMC, add the Certificate snapin, and pull the Thumbprint from the new certificate
2. On all federation servers in the environment open PowerShell as an Administrator
3. Execute the following command using the thumbprint that was gathered in Step 1
   1. Set-ADFSSSLCertificate -Thumbprint <thumbprint value>
4. Log on to the primary ADFS server and execute the following command
   1. Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint <thumbprint value>
5. Log on to each WAP server in the environment and execute the following command
   1. Set-WebApplicationProxySSLCertificate -Thumbprint <thumbprint value>

At this point, the new certificate is in place and being used by the ADFS environment! Please verify authentication is still working as expected.