Managing SSL Certificates in AD FS and WAP in Windows Server 2016

Managing SSL Certificates in AD FS and WAP in Windows Server 2016


Obtaining your SSL Certificates

For production AD FS farms an in public trustworthy  SSL certificate is suggested. this can be sometimes obtained by submitting a certificate language request (CSR) to a 3rd party, public certificate supplier. There is a spread of how to get the CSR, together with from a Windows seven or higher computer. Your merchandiser ought to have documentation for this.

Make sure the certificate meets the AD FS and net Application Proxy SSL certificate necessities
How many certificates are required
It is suggested that you just use a typical SSL certificate across all AD FS and net Application Proxy servers. For careful necessities see the document AD FS and net Application Proxy SSL certificate necessities

SSL Certificate necessities

For necessities together with naming, the root of trust and extensions see the document AD FS and net Application Proxy SSL certificate necessities

Replacing the SSL certificate for AD FS
First, verify that certificate binding mode your AD FS servers are running: default certificate authentication binding, or alternate consumer TLS binding mode.
Replacing the SSL certificate for AD FS running in default certificate authentication binding mode
AD FS by default performs device certificate authentication on port 443 and user certificate authentication on port 49443 (or a configurable port that's not 443). during this mode, use the Powershell cmdlet Set-AdfsSslCertificate to manage the SSL certificate.

Follow the steps below:


First, you may get to acquire the new certificate. this can be sometimes done by submitting a certificate language request (CSR) to a 3rd party, public certificate supplier. There is a spread of how to get the CSR, as well as from a Windows seven or higher laptop. Your marketer ought to have documentation for this.

Make sure the certificate meets the AD FS and internet Application Proxy SSL certificate necessities
Once you get the response from your certificate supplier, import it to the native Machine store on every AD FS and internet Application Proxy server.

On the first AD FS server, use the subsequent cmdlet to put in the new SSL certificate

PowerShell
Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'
The certificate thumbprint can be found by executing this command:
PowerShell
dir Cert:\LocalMachine\My\

Additional Notes

The Set-AdfsSslCertificate cmdlet could be a multi-node cmdlet; this suggests it solely must run from the first and every one node within the farm are going to be updated. this can be new in Server 2016. On Server 2012 R2 you had to run Set-AdfsSslCertificate on every server.
The Set-AdfsSslCertificate cmdlet must be run solely on the first server. the first server must be running Server 2016 and also the Farm Behavior Level ought to be raised to 2016.
The Set-AdfsSslCertificate cmdlet can use PowerShell Remoting to put together the opposite AD FS servers, certify port 5985 (TCP) is open on the opposite nodes.
The Set-AdfsSslCertificate cmdlet can grant the adfssrv principal browse permissions to the personal keys of the SSL certificate. This principle represents the AD FS service. it is not necessary to grant the AD FS service account browse access to the personal keys of the SSL certificate.
Replacing the SSL certificate for AD FS running in alternate TLS binding mode
When organized in alternate consumer TLS binding mode, AD FS performs device certificate authentication on port 443 and user certificate authentication on port 443 additionally, on a special hostname. The user certificate hostname is that the AD FS hostname pre-pended with "certauth", for instance, "certauth.fs.contoso.com". during this mode, use the PowerShell cmdlet Set-AdfsAlternateTlsClientBinding to manage the SSL certificate. this may manage not solely the choice consumer TLS binding however all different bindings on that AD FS sets the SSL certificate additionally.

Follow the steps below:


First, you may get to acquire the new certificate. this can be sometimes done by submitting a certificate language request (CSR) to a 3rd party, public certificate supplier. There is a spread of how to get the CSR, as well as from a Windows seven or higher laptop. Your marketer ought to have documentation for this.

Make sure the certificate meets the AD FS and internet Application Proxy SSL certificate necessities
Once you get the response from your certificate supplier, import it to the native Machine store on every AD FS and internet Application Proxy server.

On the first AD FS server, use the subsequent cmdlet to put in the new SSL certificate

PowerShell
Set-AdfsAlternateTlsClientBinding -Thumbprint '<thumbprint of new cert>'
The certificate thumbprint can be found by executing this command:
PowerShell
dir Cert:\LocalMachine\My\

Additional Notes

The Set-AdfsAlternateTlsClientBinding cmdlet may be a multi-node cmdlet; this implies it solely must run from the first and every one node within the farm are going to be updated.
The Set-AdfsAlternateTlsClientBinding cmdlet must be run solely on the first server. the first server must be running Server 2016 and therefore the Farm Behavior Level ought to be raised to 2016.
The Set-AdfsAlternateTlsClientBinding cmdlet can use PowerShell Remoting to assemble the opposite AD FS servers, ensure port 5985 (TCP) is open on the opposite nodes.
The Set-AdfsAlternateTlsClientBinding cmdlet can grant the adfssrv principal scan permissions to the non-public keys of the SSL certificate. This principle represents the AD FS service. it is not necessary to grant the AD FS service account scan access to the non-public keys of the SSL certificate.
Replacing the SSL certificate for the net Application Proxy
For configuring each the default certificate authentication binding or alternate shopper TLS binding mode on the WAP we will use the Set-WebApplicationProxySslCertificate cmdlet. to interchange the net Application Proxy SSL certificate, on every net Application Proxy server use the subsequent cmdlet to put in the new SSL certificate:

PowerShell
Set-WebApplicationProxySslCertificate '<thumbprint of new cert>'
If the above cmdlet fails because the old certificate has already expired, reconfigure the proxy using the following cmdlets:
PowerShell
$cred = Get-Credential
Enter the credentials of a domain user who is a local administrator on the AD FS server
PowerShell
Install-WebApplicationProxy -FederationServiceTrustCredential $cred -Certificate

Comments

Post a Comment

Popular posts from this blog

Protect against password attacks upgrading to AD FS in Windows Server 2016 using a WID database

Image
Protect against password attacks upgrading to AD FS in Windows Server 2016 using a WID database What is a watchword attack? A demand for united single sign-on is that the convenience of endpoints to attest over the web. the provision of authentication endpoints on the web permits users to access the applications even once they aren't on a company network. However, this conjointly means some unhealthy actors will profit of the United endpoints out there on the web and use these endpoints to do and confirm passwords or to make a denial of service attacks. One such attack that's turning into a lot of common is named a watchword attack. There square measure a pair of kinds of common watchword attacks. watchword spray attack & brute force watchword attack. Password Spray Attack In a watchword spray attack, these unhealthy actors can attempt the foremost common passwords across many various accounts and services to achieve access to any password-protected assets they
Read more

windows server 2019

Important security features on windows server 2019 There is arguably no hotter topic in data technology these days than security. Security is mentioned at primarily all levels of infrastructure and network topologies up the complete OSI layer stack. Vendors these days are troubled to stay up with the protection demands required by customers in their environments. there's nothing a lot of central to most infrastructure these days than the software package. Microsoft Windows Server could be a staple within the enterprise datacenter and with Hyper-V hypervisor gaining traction in several areas, it's turning into a serious player within the virtualization area. Windows Server 2019 is about to be free later this year and contains some extremely nice new security measures that depend on prime of newer technologies that Microsoft introduced in Windows Server 2016 and Windows ten. In this post, we'll take a glance at New security measures found in Windows Server 2019 and the
Read more