Since the update to the ADFS certificates everything has been fine until I noticed we have no 443 binding on the ADFS WAP server, bear in mind there is no IIS you NEEDPowershell to fix ADFS WAP servers.
Get-WebApplicationProxySslCertificate
This will show you this:
HostName PortNumber CertificateHash
-------- ---------- ---------------
49443
It should look like this:
HostName PortNumber CertificateHash
-------- ---------- ---------------
443
49443
What is going on here – we seem to be down a mapping, so let’s fix this, use the command:
netsh http show sslcert
You get this:
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash :
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : :49443
Certificate Hash :
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
Hmmm, ignoring the 0.0.0.0:443 mapping entry there is no ADFS listening on TCP:443……….ok so we need to fix this……..this is what is missing, the items we require are in bold people…..
Hostname:port : :443
Certificate Hash :
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
So, let’s get this added back, this is the command:
add sslcert hostnameport=<url:port> certhash= appid= certstorename= sslctlstorename=
So add the data from above into this command and you get this:
add sslcert hostnameport=adfs.fakedomain.com:443 certhash=660edcfc4c8aea6ed94ca418f751111111111111 appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY sslctlstorename=AdfsTrustedDevices
To use this you need to enter these commands, so you are in the command area to ADD a SSLCERT to the store….
1. Netsh
2. http
Then enter the command, you will get a “successful”
Then when you run this command again:
netsh http show sslcert
You will notice you see the TCP:443 binding – yayyy
Hostname:port : :443
Certificate Hash :
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
You will also notice when you run this:
Get-WebApplicationProxySslCertificate
You get all the bindings:
HostName PortNumber CertificateHash
-------- ---------- ---------------
443
49443