daknetworks.com

You are here: Blog ADFS Update

ADFS Update

Monday, 06 June 2022 14:11

ADFS allows outside services to use your local AD accounts. Sometimes this can be done through:

-local connectors (such as MobileIron and AzureAD).
-Azure AD connections (such as GoToConnect).
-LDAPS connections on port 636 (such as Mimecast).
-ADFS connections (such as Dropbox, Cisco, Adobe, Zoom).

ADFS is certificate based. If the certificate is correct and sent to the outside service, they can then connect to the ADFS and use the accounts locally.

One problem becomes when the certificate is expiring and needs to be updated. The outside service needs to be made aware of the change. This will depend on the outside service.

The ADFS can have multiple certificates; primary and secondary. As the primary one is expiring/expired, the secondary one should be considered. Again, this depends on the outside service.

What we did was activate a secondary certificate with the updated information and valid dates.

Then we went through all the vendors individually over the next few weeks to make sure that they were aware we were updating the metadata of the ADFS. Some of them said "no problem, just update the metadata in your such-and-such account." Others would only consider the first certificate.

To see all the certificates the computer account personal store:

get-childitem -path cert:\LocalMachine\My

This will come back with the Thumbprint and Subject.

Or if you want to look at all the properties of a single certificate:

get-childitem -path cert:\LocalMachine\My\CE4B4EFC3FA0FB7FAE5DEE80B8814C7F14BDA4CD | fl -property *

Most will want the thumbprint, issuedto, friendlyname, expiration-date and the dnsnamelist:

get-childitem -path cert:\LocalMachine\My |select thumbprint,friendlyname,notafter,@{Label = 'IssuedTo'; Expression ={$_.GetNameInfo('SimpleName', $false)}} -expandp dnsnamelist |ft


To update the certificate on the ADFS servers:

set-AdfsSslCertificate -Thumbprint abcdefghijklmnopqrstuvwxyz1234567890
(Thumbprint of the new ssl cert)

Then update the certificate on the ADFS web proxy servers:

set-WebApplicationProxySslCertifiate -Thumbprint abcdefghijklmnopqrstuvwxyz1234567890
(Thumbprint of the new ssl cert)

If you have a certificate but do not know where it is, you can search for it:

get-childitem -path "abcdefghijklmnopqrstuvwxyz1234567890" -recurse

NOTES:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap

Contact Dak Networks

We are not taking on new clients at this time.