How to update ADFS Certificate in Windows 2012 R2

Over the last week I had to change some certificates on a few ADFS solutions. They servers were all built with internal certificates for testing, but now need production 3rd party certificates.

The steps to change a certificate with IIS are simple, however the new ADFS no longer requires IIS.

The following process outlines the steps to change the SSL on ADFS without IIS.

First we need to have the correct SSL certificate. The SSL certificate must have the following;

Valid domain name:

The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.

The FQDN must be valid in the certificate for the ADFS site. You can use a wildcard certificate if required.

Private Key:

ADFS need to have the private key to function correctly.

Once we have your certificate, the next step is to import it into the correct store on the machines hosting ADFS. Here I will only import the certificate into one server, this need to be done on all servers hosting ADFS.

Open a Powershell prompt with administrator rights on the ADFS server and type the following;

$mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force

 

Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd

 

Example:

PS C:\Windows\system32> $mypwd = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force

 

 

PS C:\Windows\system32> Import-PfxCertificate –FilePath .\$ServerCertHostName.pfx cert:\localMachine\Root -Password $mypwd 

 

To view the certificates installed in your server’s local store, run the following commands in the Powershell prompt. Check that your certificate is there and it has the private key.

Get-ChildItem -Path cert:\LocalMachine\my | fl -Property FriendlyName, HasPrivateKey, GetCertHashString, subject, Thumbprint, Issuer, NotAfter, NotBefore

Example:

 

FriendlyName  : Go Daddy Wild Card SSL

HasPrivateKey : True

Subject       : CN=*.domain.test, OU=Domain Control Validated

Thumbprint    : D3561AD0AD3831BE2231B97CB40AC5EF21F5C919

Issuer        : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=”GoDaddy.com, Inc.”,

                L=Scottsdale, S=Arizona, C=US

NotAfter      : 28/01/2015 5:11:40 PM

NotBefore     : 23/01/2014 9:49:03 AM

 

Next, we need to add the certificate to ADFS. On the ADFS server open a PowerShell prompt and run the following;

$CertificateFriendlyName = “Go Daddy Wild Card SSL”

$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint

 Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint

Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint

Example:

PS C:\Windows\system32> $CertificateFriendlyName = “Go Daddy Wild Card SSL”

$CertificateThumbprint = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {($_.FriendlyName -eq $CertificateFriendlyName) }).Thumbprint

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertificateThumbprint

 

WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server

 in the farm.

 

PS C:\Windows\system32> Set-AdfsSslCertificate -Thumbprint $CertificateThumbprint

 

 

PS C:\Windows\system32>

 

Finally, restart your ADFS service

In the PowerShell prompt type;

Restart-Service adfssrv

Get-Service adfssrv

Example:

PS C:\Windows\system32> Restart-Service adfssrv

Get-Service adfssrv

 

WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…

 

Status   Name               DisplayName                          

——   —-               ———–                          

Running  adfssrv            Active Directory Federation Services 

 

Once all has been completed, open a browser and try with the following URL;

https://<youradfssitefqdn>/adfs/ls/idpinitiatedsignon.aspx

Azure/WAP: System.MethodAccessException: Attempt by security transparent method

 

While working on a Windows Azure Pack Web Sites, I found a problem publishing MVC5 site. When you attempt to upload a MVC5 web application to Windows Azure or Windows Azure Pack you may see the error “‘System.Web.WebPages.Administration.SiteAdmin.RegisterAdminModule()’ to access security critical method ‘System.Web.WebPages.ApplicationPart..ctor(System.Reflection.Assembly, System.String)’ failed.

 

I had to perofrm the following steps to resolve;

1.       Install the package

From the Package management console run the following command:

Install-Package -Id  Microsoft.AspNet.WebHelpers

2.       Change the deployment options to remove additional files.

image

 

Complete Error:

Attempt by security transparent method ‘System.Web.WebPages.Administration.SiteAdmin.RegisterAdminModule()’ to access security critical method ‘System.Web.WebPages.ApplicationPart..ctor(System.Reflection.Assembly, System.String)’ failed.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.MethodAccessException: Attempt by security transparent method ‘System.Web.WebPages.Administration.SiteAdmin.RegisterAdminModule()’ to access security critical method ‘System.Web.WebPages.ApplicationPart..ctor(System.Reflection.Assembly, System.String)’ failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace:

 

[MethodAccessException: Attempt by security transparent method ‘System.Web.WebPages.Administration.SiteAdmin.RegisterAdminModule()’ to access security critical method ‘System.Web.WebPages.ApplicationPart..ctor(System.Reflection.Assembly, System.String)’ failed.]

   System.Web.WebPages.Administration.SiteAdmin.RegisterAdminModule() +44

   System.Web.WebPages.Administration.PreApplicationStartCode.Start() +22

 

[InvalidOperationException: The pre-application start initialization method Start on type System.Web.WebPages.Administration.PreApplicationStartCode threw an exception with the following error message: Attempt by security transparent method ‘System.Web.WebPages.Administration.SiteAdmin.RegisterAdminModule()’ to access security critical method ‘System.Web.WebPages.ApplicationPart..ctor(System.Reflection.Assembly, System.String)’ failed..]

   System.Web.Compilation.BuildManager.InvokePreStartInitMethodsCore(ICollection`1 methods, Func`1 setHostingEnvironmentCultures) +556

   System.Web.Compilation.BuildManager.InvokePreStartInitMethods(ICollection`1 methods) +132

   System.Web.Compilation.BuildManager.CallPreStartInitMethods(String preStartInitListPath, Boolean& isRefAssemblyLoaded) +102

   System.Web.Compilation.BuildManager.ExecutePreAppStart() +153

   System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters, PolicyLevel policyLevel, Exception appDomainCreationException) +516

 

[HttpException (0x80004005): The pre-application start initialization method Start on type System.Web.WebPages.Administration.PreApplicationStartCode threw an exception with the following error message: Attempt by security transparent method ‘System.Web.WebPages.Administration.SiteAdmin.RegisterAdminModule()’ to access security critical method ‘System.Web.WebPages.ApplicationPart..ctor(System.Reflection.Assembly, System.String)’ failed..]

   System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +9885044

   System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +101

   System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +254

 


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34009

Errors in Windows Azure Pack after applying Update 1 to System Center 2012 R2 VMM

After applying the Microsoft update KB http://support.microsoft.com/kb/2904712, you may see your templates and plans not updating in WAP.

The normal steps to check are to look at the disks and templates. In WAP all templates and disks need to have an Operation System configuration.

After the update no more new templates appear in WAP and adding a subscription to a plan fails to sync. This happens because of an updated store proc in the SQL database.

Checking VMM you will see the following error:

clip_image001

VMM Error report will show the following:

Error = 8144
Index #0
Source: .Net SqlClient Data Provider
Number: 8144
State: 2
Class: 16
Server: SYSSQL01
Message: Procedure or function prc_RBS_UserRoleSharedObjectRelation_Insert has too many arguments specified.
Procedure: prc_RBS_UserRoleSharedObjectRelation_Insert
Line: 0

Resolution:

To fix the issue you need to update the sql store proc with the code from the KB 2904172. Then perform a sync on any user subscription that is not in a sync’ed state.

TSQL code is

use [VirtualManagerDB]
go

/* script starts here */
ALTER Procedure [dbo].[prc_RBS_UserRoleSharedObjectRelation_Insert]
(
@ID uniqueidentifier,
@ObjectID uniqueidentifier,
@ObjectType int,
@RoleID uniqueidentifier,
@UserOrGroup varbinary (85),
@ForeignAccount nvarchar (256),
@IsADGroup bit,
@ExistingID uniqueidentifier = NULL OUTPUT
)
AS
SET NOCOUNT ON
SELECT @ExistingID = [ID] FROM [dbo].[tbl_RBS_UserRoleSharedObjectRelation]
WHERE [ObjectID] = @ObjectID AND [RoleID] = @RoleID
AND
— Select owner OR Select all which matches ForeignAccount or UserOrGroup OR
— both ForeignAccount and UserOrGroup is NULL
(([UserOrGroup] = @UserOrGroup OR [ForeignAccount] = @ForeignAccount) OR
([UserOrGroup] IS NULL AND @UserOrGroup IS NULL AND [ForeignAccount] IS NULL AND @ForeignAccount IS NULL))
/* Ignore duplicate entries */
IF (@ExistingID IS NULL)
BEGIN
INSERT [dbo].[tbl_RBS_UserRoleSharedObjectRelation]
([ID]
,[ObjectID]
,[ObjectType]
,[RoleID]
,[UserOrGroup]
,[ForeignAccount]
,[IsADGroup]
,[IsOwner]
)
VALUES
(
@ID,
@ObjectID,
@ObjectType,
@RoleID,
@UserOrGroup,
@ForeignAccount,
@IsADGroup,
0
)
END
SET NOCOUNT OFF
RETURN @@ERROR
/* script ends here */