1,304 questions
Got it worked out. I follwoed this : https://tristanwatkins.com/changing-adfs-url-windows-server-2012-r2/ and manually applied the new cert with powershell and netsh
Secondary ADFS certificate not updating during renewal
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 33%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
lamaiden774
101
Reputation points
Hello, I am hoping someone could lead me to resolve this issue.
I have renewed the SSL certificate (service communication) on the primary ADFS server but the secondary is not updating and is still showing the old certificate thumbprint.
Both servers (Win 2016) have the certificate and private key in their respective personal store. One thing I noticed is that the virtual account adfssrv does not have the read permission on the private key on the secondary but has the permission on the primary server. I am not sure if it is related.
Thank you for your help.
Microsoft Security Active Directory Federation Services
Accepted answer
-
lamaiden774 101 Reputation points
2021-07-16T15:07:06.057+00:00 -
Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee2021-07-19T12:50:39.357+00:00 NETSH is not required though.
You need to run Set-ADFSCertificate and Set-ADFSSSLCertificate. The second one is using WinRM to set the new binding on all the nodes. So you need to make sure you run the command with a domain account that has local admin privilege on all the nodes and that WinRM is configured and working.
Please mark your own answer as a solution if you feel it might help other in the same situation.
Sign in to comment -