Wednesday, November 06, 2013

ADFS : Changing service communications certificate

This is on Server 2008.

If you've used ADFS for a while, you'll know that the certificates expire, you get new ones and add them and so on.

After a while, the certificate store looks like a mess! Many certificates with the same name.

So you have the bright idea of deleting them all, importing the new one and configuring the new one in ADFS.

BAD move:

When you try and add the new service communications certificate, you get:

Error: AD FS Management
The certificate could not be processed.
Error message: Object reference not set to an instance of an object.


This article goes into detail but I still couldn't get it to work.

How to change the ADFS 2.0 service communications certificate after it expires

So you import the new certificate and you've added the new certificate to the IIS https binding.

Mr Google to the rescue and you need to run PowerShell as administrator:

Add-PSSnapin Microsoft.Adfs.PowerShell

Then get the new certificate thumbprint from MMC and use the following:

Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint xxyyzz...

WARNING: PS0001: One or more of the specified certificate(s) has a key length of less than 2048 bits. This may present a security risk.
WARNING: PS0038: This action requires a restart of the AD FS 2.0 Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.

So restart the service and Hallelujah it all works again!



Anonymous said...

Thanks for this article - it was right on the mark!

Unknown said...

Life SAVER!!! Thank you soooo much!

Unknown said...

Life SAVER!!! Thank you soooo much!