ADFS Certificate Issue

Hi,

have you tried to rerun Update from Federation Metadata, after you have imported new certificate, with nothing to change, just go next,next..? Restart ADFS service?

Regards,
Ivan.

Yes, I've tried all what you've mentioned. Tks.

Hi,

I've tried again and getting this error for your kind advice. Tks


C:\Windows\system32> Update-AdfsRelyingPartyTrust -TargetName "Fiori"
WARNING: PS0020: Cannot update the relying party trust with name:Fiori since there is no MetadataUrl

Why the update from Federation metadata is grey and i need to run on powershell? See attached screenshot.

Tks.

Lucky
update_FM.jpg

https://www.experts-exchange.com/questions/29107645/ADFS-Certificate-Issue.html?anchorAnswerId=42614123#a42614123
If you create the RPT manually, you can't update it through powershell.
Please check your application web.config file.

After checking and what should I do? Ps advice. Tks.

Where is the application web.config files? After finding it and how to fix the ADFS certificate expired issue on the third app as per the previous sceenshot. Tks.

web.config can be found in your Application(Website) parent folder.
In ADFS, which certificate is expired?
Did you renewed it?
Is it possible to share the get-adfscertificate output?

If you've replaced your token signing adfs certificate, you need to update the new certificate thumbprint in the application config file also claim

Can share a bit more to me about the ADFS as i've never setup & used before as this is my first time knowing it?

1. Did you renewed it? Yes, my colleague renew it manually when I am standing there to see.

2. Is it possible to share the get-adfscertificate output? Sure. Will update you the output on tomorrow. It this the command
get-adfscertificate to run in the powershell?

3. Token signing adfs cert, update new cert and thumbprint? Can kindly provide me the step by step with some sceenshot for my easy understanding and learning it.  

4. Application(Website) parent folder? Kindly provide me the path?

5. Observe my colleague need to export two certificates to the app developer to import to their mobile leave application. How does it work and verify the certificate?  

5. Can provide some link and video to learning about best practice to setup ADFS?


Tks.

Lucky

1. Did you renewed it? Yes, my colleague renew it manually when I am standing there to see.
Which certificate he renewed? Service or Token Signing or Token Decrypting?

2. Is it possible to share the get-adfscertificate output? Sure. Will update you the output on tomorrow. It this the command
get-adfscertificate to run in the powershell?
Yes it will.

3. Token signing adfs cert, update new cert and thumbprint? Can kindly provide me the step by step with some sceenshot for my easy understanding and learning it.
You can open the web.config file in the notepad and find the old certificate thumbprint and replace it with the new one.

4. Application(Website) parent folder? Kindly provide me the path?
Check your IIS Manager or ask your application team.

5. Observe my colleague need to export two certificates to the app developer to import to their mobile leave application. How does it work and verify the certificate?  
You can either provide the certificates or the metadata file or metadata url to update in the partner end.
If the  app server is in your own domain, then you can ask your dev team to update the thumbprint of the new certificate.

5. Can provide some link and video to learning about best practice to setup ADFS?
You can refer this link to setup you own ADFS lab.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/set-up-the-lab-environment-for-ad-fs-in-windows-server-2012-r2

Will check and update you trm. Thanks for kind advice and help. Sunil

Hi Sunil,

1. Not sure how to check on the ADFS.

2. PS C:\Windows\system32> Get-AdfsCertificate


Certificate     : [Subject]
                    CN=XXXXXX.COM.XX, O=XXXXXX, L=XXXXXX, C=XXXXX

                  [Issuer]
                    CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only",
                  OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US

                  [Serial Number]
                    52B67F67D4D43DF10000000050DD3267

                  [Not Before]
                    06/07/2017 3:45:29 PM

                  [Not After]
                    23/10/2019 4:15:27 PM

                  [Thumbprint]
                    FEB8A5573DA5D3D77EB881C09FFDFE8293AA7618

CertificateType : Service-Communications
IsPrimary       : True
StoreLocation   : LocalMachine
StoreName       : My
Thumbprint      : FEB8A5573DA5D3D77EB881C09FFDFE8293AA7618

Certificate     : [Subject]
                    CN=ADFS Encryption - XXXX.XXXX.COM.XX

                  [Issuer]
                    CN=ADFS Encryption - XXXX.XXXX.COM.XX

                  [Serial Number]
                    1FEFA1CDFEA3C7B04292682F0875984B

                  [Not Before]
                    03/07/2018 4:29:36 PM

                  [Not After]
                    03/07/2019 4:29:36 PM

                  [Thumbprint]
                    5328893A77C667DF03C725836CD57B9D4FE8547F

CertificateType : Token-Decrypting
IsPrimary       : True
StoreLocation   : CurrentUser
StoreName       : My
Thumbprint      : 5328893A77C667DF03C725836CD57B9D4FE8547F

Certificate     : [Subject]
                    CN=ADFS Signing - XXXX.XXXX.COM.XX
                  [Issuer]
                    CN=ADFS Signing - XXXX.XXXX.COM.XX

                  [Serial Number]
                    2ED75E9E2C7ABEBA436B22A855BDF2C8

                  [Not Before]
                    03/07/2018 4:29:37 PM

                  [Not After]
                    03/07/2019 4:29:37 PM

                  [Thumbprint]
                    27EE6561ADDAA636969349ACA362B60E8A948682

CertificateType : Token-Signing
IsPrimary       : True
StoreLocation   : CurrentUser
StoreName       : My
Thumbprint      : 27EE6561ADDAA636969349ACA362B60E8A948682

Certificate     : [Subject]
                    CN=ADFS Encryption - XXXX.XXXX.COM.XX

                  [Issuer]
                    CN=ADFS Encryption - XXXXX.XXXX.COM.XX

                  [Serial Number]
                    2905DDEB28CC89AD4737F50306750A17

                  [Not Before]
                    07/07/2017 2:24:56 PM

                  [Not After]
                    07/07/2018 2:24:56 PM

                  [Thumbprint]
                    FCA7EDB60DDF6046BCD3B580C8E25577EB7918CE

CertificateType : Token-Decrypting
IsPrimary       : False
StoreLocation   : CurrentUser
StoreName       : My
Thumbprint      : FCA7EDB60DDF6046BCD3B580C8E25577EB7918CE

Certificate     : [Subject]
                    CN=ADFS Signing - XXXX.XXXX.COM.XX
                  [Issuer]
                    CN=ADFS Signing - XXXX.XXXX.COM.XX

                  [Serial Number]
                    5288A43F80F578B24C3B73DF007B57B4

                  [Not Before]
                    07/07/2017 2:24:58 PM

                  [Not After]
                    07/07/2018 2:24:58 PM

                  [Thumbprint]
                    45E6FDAD7B4D7F7670BD10BD2F4890DB5F971AC5

CertificateType : Token-Signing
IsPrimary       : False
StoreLocation   : CurrentUser
StoreName       : My
Thumbprint      : 45E6FDAD7B4D7F7670BD10BD2F4890DB5F971AC5

hi,

working with the app developer that he need me to upload the metadata_1.xml with set it sha-1 on ADFS server. Then he wil try to run the http://myportal.com to access the leave, salary portal. see attached screenshot.

I still can't get it work and don't understand the logic to troubleshooting this issue. Any advice. Tks.
2.jpeg

Actually, it is the certificate xml being generated using the wrong FQDN.

https://YOUR_ADFS_SERVER/FederationMetadata/2007-06/FederationMetadata.xml

browse the above url to get the metadata, you save the metadata.xml and share it your app team or you can directly share the url to them.