Replacing ADFS 2.0 Secure Communications Certificate – “The Certificate Cannot Be Processed”

Posted on Updated on

For all Office 365 Active Directory Federation Services (ADFS) administrators, you may find that your ADFS “Secure Communications” certificate has expired and needs to be replaced or you need to replace the certificate and having issues replacing.  Many times administrators will start with an internal Certificate Authority (CA) cert and later upgrade to a public certificate, in order to support users with Outlook or other rich applications.

Whatever the reason, there are a few things you need to think about when performing this task:

  1. The Active Directory Federation Services MMC (UI) can be used to set the “Secure Communications” certificate by doing the following:
    1. Expand the ADFS –> Service –> Certificates node and right-click the certificates folder and select: Set Service Communications certificate option, which sets the certificate applied to your IIS default website as the secure communications certificate for use in ADFS.
      1. Note – You will be presented with all viable certificates in the Local Machine –> Personal –> Certificates store.
    2. Select the proper certificate presented and click OK

Note – I attempted this in my lab environment, however I had to rekey my certificate and the old certificate had been revoked.  Because of this, I believe the above steps failed with the following error, which forced me to use PowerShell to set the proper certificate while clearing out my old certificate.

Attempt to Set Secure Communications Certificate

set-secure_comms

Steps to Resolve

  1. Remove the old certificate from the Local Machine –> Personal –> Certificates store
  2. Import new certificate using IIS –> Import Certificate
    1. Place into the Local Machine –> Personal –> Certificate store
  3. Manage Certificates –> Manage Private Keys –> Grant read (I gave the ADFS AppPool identity Full Access)
  4. Launch PowerShell
    1. Add-PSSnapin Microsoft.ADFS.PowerShell
    2. Set-ADFSCertificate –CertificateType Secure-Communications –Thumbprint “e3 r 45 d4 5t 7u 8i 3e”
      1. Note:  Turns out the –CertificateType string is NOT enclosed in quotations while –Thumbprint is.  I had this backwards and the error states that “-CertificateTYpe is invalid”.  This is wrong, it was which string was wrapped in quotes.
          • Error Message if you enclose the wrong string in quotations:
            1. adfs_invalid_certType
        1. Example using PowerShell 3.0 ISE, which is an outstanding tool for working in PowerShell
          • set-secure_communications-success
  5. Restart IIS and ADFS Services
    1. IISReset
    2. ADFS 2.0 Service Restart
  6. Launch the ADFS 2.0 MMC –> Services –> Certificates and verify that the new certificate is listed
  7. Launch the Microsoft Online Windows PowerShell and update the Microsoft Federation Gateway with the new certificate and thumbprint
    1. Download and install Online PowerShell: https://portal.microsoftonline.com/IdentityFederation/IdentityFederation.aspx
    2. Launch and connect to Microsoft Online Services:  connect-MSOLService
      1. Note: Enter your online Global Admin credentials
    3. Update MFG with new certificate information:
      1. Update-MSOLFederatedDomain -DomainName <domainName.com>
    4. Check that the new certificate information, such as Thumbprint has been uploaded into the cloud:
      1. Get-MSOLFederationProperty -DomainName <domainName.com>

AND TEST…you should be set and ready to go!

Whatcha thinkin?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s