Manage TLS/SSL certificates in AD FS and WAP in Windows Server 2016

This article describes how to deploy a new TLS/SSL certificate to your Active Directory Federation Services (AD FS) and Web Application Proxy (WAP) servers.

Note

The recommended way to replace the TLS/SSL certificate going forward for an AD FS farm is to use Microsoft Entra Connect. For more information, see Update the TLS/SSL certificate for an Active Directory Federation Services (AD FS) farm.

Obtain your TLS/SSL certificates

For production AD FS farms, a publicly trusted TLS/SSL certificate is recommended. AD FS obtains this certificate by submitting a certificate signing request (CSR) to a third party, public certificate provider. There are various ways to generate the CSR, including from a Windows 7 or higher PC. Your vendor should have documentation for this process.

Certificates needed

You should use a common TLS/SSL certificate across all AD FS and WAP servers. For detailed requirements, see AD FS and Web Application Proxy TLS/SSL certificate requirements.

TLS/SSL certificate requirements

For requirements, including naming root of trust and extensions, see AD FS and Web Application Proxy TLS/SSL certificate requirements.

Replace the TLS/SSL certificate for AD FS

Note

The AD FS TLS/SSL certificate isn't the same as the AD FS Service communications certificate found in the AD FS Management snap-in. To change the AD FS TLS/SSL certificate, you need to use PowerShell.

First, determine whether your AD FS servers run default certificate authentication binding mode or alternate client TLS binding mode.

Replace the TLS/SSL certificate for AD FS running in default certificate authentication binding mode

AD FS by default performs device certificate authentication on port 443 and user certificate authentication on port 49443 (or a configurable port that isn't 443). In this mode, use the PowerShell cmdlet Set-AdfsSslCertificate to manage the TLS/SSL certificate as shown in the following steps:

  1. First, you need to obtain the new certificate. You can get it by submitting a certificate signing request (CSR) to a third party, public certificate provider. There are various ways to generate the CSR, including from a Windows 7 or higher computer. Your vendor should have documentation for this process.

  2. After you get the response from your certificate provider, import it to the local machine store on each AD FS and WAP.

  3. On the primary AD FS server, use the following cmdlet to install the new TLS/SSL certificate:

Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'

The certificate thumbprint can be found by executing this command:

dir Cert:\LocalMachine\My\

Replace the TLS/SSL certificate for AD FS running in alternate TLS binding mode

When configured in alternate client TLS binding mode, AD FS performs device certificate authentication on port 443. It also performs user certificate authentication on port 443, on a different hostname. The user certificate hostname is the AD FS hostname prepended with certauth, for example certauth.fs.contoso.com. In this mode, use the PowerShell cmdlet Set-AdfsAlternateTlsClientBinding to manage the TLS/SSL certificate. This cmdlet manages not only the alternative client TLS binding but all other bindings on which AD FS sets the TLS/SSL certificate as well.

Use the following steps to replace your TLS/SSL certificate for AD FS running in alternate TLS binding mode.

  1. First, you need to obtain the new certificate. You can get it by submitting a certificate signing request (CSR) to a third party, public certificate provider. There are various ways to generate the CSR, including from a Windows 7 or higher computer. Your vendor should have documentation for this process.

  2. After you get the response from your certificate provider, import it to the local machine store on each AD FS and WAP.

  3. On the primary AD FS server, use the following cmdlet to install the new TLS/SSL certificate:

Set-AdfsAlternateTlsClientBinding -Thumbprint '<thumbprint of new cert>'

The certificate thumbprint can be found by executing this command:

dir Cert:\LocalMachine\My\

Other considerations for TLS/SSL certificates in default certificate authentication binding and alternate TLS binding mode

  • The Set-AdfsSslCertificate and Set-AdfsAlternateTlsClientBinding cmdlets are multi-node cmdlets, so they only have to run from the primary. The cmdlets also update all nodes in the farm. This change is new in Server 2016. On Server 2012 R2, you had to run the cmdlet on each server.
  • The Set-AdfsSslCertificate and Set-AdfsAlternateTlsClientBinding cmdlets have to run only on the primary server. The primary server has to run Server 2016, and you should raise the farm behavior level to 2016.
  • The Set-AdfsSslCertificate and Set-AdfsAlternateTlsClientBinding cmdlets use PowerShell Remoting to configure the other AD FS servers, make sure port 5985 (TCP) is open on the other nodes.
  • The Set-AdfsSslCertificate and Set-AdfsAlternateTlsClientBinding cmdlets grant the adfssrv principal read permissions to the private keys of the TLS/SSL certificate. This principal represents the AD FS service. It's not necessary to grant the AD FS service account read access to the private keys of the TLS/SSL certificate.

Replace the TLS/SSL certificate for the Web Application Proxy

If you want to configure both, the default certificate authentication binding or alternate client TLS binding mode on the WAP, you can use the Set-WebApplicationProxySslCertificate cmdlet. To replace the WAP TLS/SSL certificate on each WAP server, use the following cmdlet to install the new TLS/SSL certificate:

Set-WebApplicationProxySslCertificate -Thumbprint '<thumbprint of new cert>'

If the above cmdlet fails because the old certificate has already expired, reconfigure the proxy by using the following cmdlets:

$cred = Get-Credential

Enter the credentials of a domain user who is local administrator on the AD FS server

Install-WebApplicationProxy -FederationServiceTrustCredential $cred -CertificateThumbprint '<thumbprint of new cert>' -FederationServiceName 'fs.contoso.com'