ADFS certificates? Yes! They come back to me as little nightmare xD, but in the end, this time was pretty simple to solve it.
The problem begun with a client call that I planned to visit the same day (for other reasons), and he was in panic because the certificates associated with the CRM and ADFS needs to be updated, since the day after will expire.
At the beginning I though, “I don’t have any idea about CRM and how to update the certificates”, but having a technical background I decided to tell him that after the meeting we could have a look to the CRM and the ADFS farm to see what was happening.
Once I finished the meeting with him, I meet with the person in charge of updating the certificates, he explained me how he updated the certificates in the CRM, but he still has a problem with the certificates in the ADFS farm, for me it was like light in the darkness, I don’t need to deal with the CRM, only with ADFS!! 1 point!
Looking to the ADFS farm, the first thing that I realized it was that he updated the decrypting and signing certificates, but the service communications shows a message saying that “It is not possible to find the certificate”. Weird… the client told me that he imports the certificates in the personal Store, so the certificates exist.
If you tried to associate a new certificate with the button “Set service communications certificate”, it fires an error in the ADFS console, but it doesn’t write anything in the event viewer. I started to check in the IIS (it was a 2.0 ADFS) the certificates, I realized that in the binding, the certificate was not associated, I associated it, okay.
Come back to the ADFS console, and try to re-associate the certificate, no luck.
I was pretty sure, that the problem was with the certificate associated, so I starts to look into my PowerShells, one PowerShell to reassociate the CS certificate by scripting, since the interface does not work. But by the time, I asked to the client if he still conserves the old certificate that he delete it, he say yes, and I asked him to reimport it again to the store.
Once the certificate was imported again, I refresh the ADFS farm… and bang!! The CS shows the old certificate, great, then my following action was to try to set the set service communication certificate, and bang! It shows the dialog where is it possible to see the old certificate and the new one, I selected the new one and finally I restarted the ADFS service.
I tested with the CRM, and it was possible to see that it connects with the new certificate 😊. So… what I learned from this experience? Never delete a certificate without first renewing it and test that everything is okay.
By the way, I found the PS to set the CS certificate, but it was not necessary to execute it:
Set-AdfsSslCertificate –Thumbprint <ThumbprintCertificate>
Set-WebApplicationProxySslCertificate –Thumbprint <ThumbprintCertificate>