How to update ADFS Certificate in Windows 2012 R2

Over the last week I had to change some certificates on a few ADFS solutions. They servers were all built with internal certificates for testing, but now need production 3rd party certificates.

The steps to change a certificate with IIS are simple, however the new ADFS no longer requires IIS.

The following process outlines the steps to change the SSL on ADFS without IIS.

First we need to have the correct SSL certificate. The SSL certificate must have the following;

Valid domain name:

The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.

The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.

Private Key:

ADFS need to have the private key to function correctly.

Once we have your certificate, the next step is to import it into the correct store on the machines hosting ADFS. Here I will only import the certificate into one server, this need to be done on all servers hosting ADFS.

Open a Powershell prompt with administrator rights on the ADFS server and type the following;

$mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force

 

Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd

 

Example:

PS C:\Windows\system32> $mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force

 

 

PS C:\Windows\system32> Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd 

 

To view the certificates installed in your server’s local store, run the following commands in the Powershell prompt. Check that your certificate is there and it has the private key.

Get-ChildItem -Path cert:\LocalMachine\my | fl -Property FriendlyName, HasPrivateKey, GetCertHashString, subject, Thumbprint, Issuer, NotAfter, NotBefore

Example:

 

FriendlyName  : Go Daddy Wild Card SSL

HasPrivateKey : True

Subject       : CN=*.domain.test, OU=Domain Control Validated

Thumbprint    : D3561AD0AD3831BE2231B97CB40AC5EF21F5C919

Issuer        : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=”GoDaddy.com, Inc.”,

                L=Scottsdale, S=Arizona, C=US

NotAfter      : 28/01/2015 5:11:40 PM

NotBefore     : 23/01/2014 9:49:03 AM

 

Next, we need to add the certificate to ADFS. On the ADFS server open a PowerShell prompt and run the following;

$CertificateFriendlyName = “Go Daddy Wild Card SSL”

$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint

 Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint

Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint

Example:

PS C:\Windows\system32> $CertificateFriendlyName = “Go Daddy Wild Card SSL”

$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint

 

WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server

 in the farm.

 

PS C:\Windows\system32> Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint

 

 

PS C:\Windows\system32>

 

Finally, restart your ADFS service

In the PowerShell prompt type;

Restart-Service adfssrv

Get-Service adfssrv

Example:

PS C:\Windows\system32> Restart-Service adfssrv

Get-Service adfssrv

 

WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…

 

Status   Name               DisplayName                          

——   —-               ———–                          

Running  adfssrv            Active Directory Federation Services 

 

Once all has been completed, open a browser and try with the following URL;

https://<youradfssitefqdn>/adfs/ls/idpinitiatedsignon.aspx

Hyper-V did not find virtual machines to import

 

When doing some export and imports of the VM using Hyper-V I found an issue related to security. When System Centre VMM is used in the environment, a security ID is placed on all VM. This security ID stops you from importing the VM into Hyper-V.

When importing via the GUI you get the following message;

clip_image002

While doing some testing I found the following section inside the virtual machine configuration file.

<security>

<sd type=”string”>O:S-1-0-0D:(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-4026737508-1815974660-2349268802-1111)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-4026737508-1815974660-2349268802-1109)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-4026737508-1815974660-2349268802-1107)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-4026737508-1815974660-2349268802-1110)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-4026737508-1815974660-2349268802-1105)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;DA)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-4026737508-1815974660-2349268802-1104)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-4026737508-1815974660-2349268802-500)</sd>

</security>

 

The quick fix is to remove this security element from the xml configuration file.

I have also found that this happens when you remove a Hyper-V from a domain or VMM structure without first removing the virtual. In this case Hyper-V will report no Virtual Machines found on the Hyper-V server. To correct this, remove the security from the configuration files and refresh Hyper-V manager. The virtual machines will all appear again.

Windows Server 2012 Now Available in the Windows Azure Virtual Machine Gallery

Windows 2012 has been added to the Azure platform. Check out the below link for more info.

http://blogs.msdn.com/b/windowsazure/archive/2012/08/16/windows-server-2012-now-available-in-the-windows-azure-virtual-machine-gallery.aspx

Windows 8 has been released to manufacturing

As of today Windows 8 has been released to manufacturing (RTM)!

  • August 15th: Developers will be able to download the final version of Windows 8 via your MSDN subscriptions.
  • August 15th: IT professionals testing Windows 8 in organizations will be able to access the final version of Windows 8 through your TechNet subscriptions.
  • August 16th: Customers with existing Microsoft Software Assurance for Windows will be able to download Windows 8 Enterprise edition through the Volume License Service Center (VLSC), allowing you to test, pilot and begin adopting Windows 8 Enterprise within your organization.
  • August 16th:Microsoft Partner Network members will have access to Windows 8.
  • August 20th:Microsoft Action Pack Providers (MAPS) receive access to Windows 8.
  • September 1st: Volume License customers without Software Assurance will be able to purchase Windows 8 through Microsoft Volume License Resellers.

Windows Server 2012 Arrives September 4

Windows Server 2012 has been released to manufacturing, too. That means the final code is complete and Microsoft will deliver the “brand new OS” to hardware and software vendors & partners this week. Good news for MSDN and TechNet subscribers and MS Partners, as Microsoft will also make the software available to their volume licensing customers in the next couple of weeks.

Windows 8 and Windows 2012, is on track to Release to Manufacturing (RTM) the first week of August

At the World Partner Conference, Microsoft has provided details about the release dates for Windows 8 and Windows Server 2012.

More details about Windows 8 here: http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/07/09/upcoming-windows-milestones-shared-with-partners-at-wpc.aspx

Windows 8 RTM, first week of August with general availability in late October.

More details about Windows 2012 here: http://blogs.technet.com/b/windowsserver/archive/2012/07/09/windows-server-2012-final-release-timing.aspx

Windows 2012 RTM, first week of August and generally available to customers through multiple channels in September.

Windows Server 2012 Editions

Microsoft has released the Windows 2012 editions, see this link for more details : http://www.microsoft.com/en-us/server-cloud/windows-server/2012-editions.aspx

Windows Server 2012 Editions

Licensing Overview

Windows Server 2012 delivers a dramatically simplified licensing experience. Shaped by feedback from customers and partners, the new Windows Server licensing approach will help make choosing the right Windows Server easier while delivering the following benefits.

Simple

It’s easier than ever to determine the right Windows Server edition for you. Choose from just four editions of Windows Server 2012, based on the size of your organization and your requirements for virtualization and cloud computing.

Economical

All editions of Windows Server 2012 deliver excellent economics and ROI for your business. For example, Datacenter edition with unlimited virtualization rights provides the benefits of cloud-level scale with predictable, lower costs. Standard edition now offers all of the same enterprise-class features as Datacenter and is differentiated only by virtualization rights.

Cloud-optimized

Businesses today are rapidly adopting a hybrid approach across private and public cloud computing. Windows Server 2012 offers the right edition for you, no matter where you are on your path to the cloud; Datacenter edition for highly virtualized cloud environments, Standard edition for lightly virtualized environments progressing toward cloud, or Essentials edition for an ideal cloud-connected first server.

Editions Overview

Edition Ideal for… High Level Feature
Comparison
Licensing Model
Datacenter Highly virtualized
private & hybrid
cloud environments
Full Windows
Server functionality
with unlimited
virtual instances
Processor + CAL
Standard Low density or non-
virtualized
environments
Full Windows
Server functionality
with two virtual
instances
Processor + CAL
Essentials Small business
environments
Simpler interface,
pre-configured
connectivity to
cloud based services; no
virtualization rights
Server (25 User
Account Limit)
Foundation Economical general
purpose server
General purpose
server functionality
with no
virtualization rights
Server (15 User
Account Limit)

Windows 2012 Jump Start Videos

Microsoft has released the Jump Start Videos for Windows 2012. http://borntolearn.mslearn.net/btl/b/weblog/archive/2012/06/27/videos-published-windows-server-2012-jump-start-spread-the-word.aspx

Links to Every Module from this Jump Start
The HD-quality video recordings of this course are published to TechNet Edge and are highly recommended. Windows Server 2012 is a game-changing release for so many reasons and this course will help experienced IT Pros truly understand why — check it out!

• Windows Server 2012 Jump Start (01): Core Hyper-V
• Windows Server 2012 Jump Start (02a): Virtualization Infrastructure, Part 1
• Windows Server 2012 Jump Start (02b): Virtualization Infrastructure, Part 2
• Windows Server 2012 Jump Start (03a): Storage Architecture, Part 1
• Windows Server 2012 Jump Start (03b): Storage Architecture, Part 2
• Windows Server 2012 Jump Start (04): Continuous Availability
• Windows Server 2012 Jump Start (05a): Multi-Server Management, Part 1
• Windows Server 2012 Jump Start (05b): Multi-Server Management, Part 2
• Windows Server 2012 Jump Start (06a): Security and Access, Part 1
• Windows Server 2012 Jump Start (06b): Security and Access, Part 2
• Windows Server 2012 Jump Start (07): Remote Connectivity and Networking
• Windows Server 2012 Jump Start (08): IIS, DHCP and IPAM