locked
ADFS 2016 - After SSL Communication Certificate renewal "Page can't be displayed" RRS feed

  • Question

  • After the renal of my ADFS Server communication Cert I cannot reach me "sampapp" webapp.

    I run the following commands:

    .\Request-Certificate.ps1 -CN adfs01.example.com -CAName "ca01\example root ca" $fingerprintComm = Get-ChildItem Cert:\LocalMachine\My\ -Recurse |` where{ $_.Subject –like "*adfs01.example.com*" } |` select -ExpandProperty thumbprint Set-AdfsCertificate ` -CertificateType Service-Communications ` -Thumbprint $fingerprintComm

    restart-service -Name adfssrv

    Request-certificate.ps1

    Then I try to open my sampapp(claim based) in IE (URL: https://iis01.example.com/sampapp/) and it is beeing redirected to the following URL:  

    https://adfs01.example.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fiis01.example.com%2fsampapp%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fSampApp%252f&wct=2017-10-20T05%3a43%3a25Z
    
    This page can’t be displayed
    
    •Make sure the web address is correct.
    •Look for the page with your search engine.
    •Refresh the page in a few minutes


    • Edited by 1.FreddyD Friday, October 20, 2017 6:08 AM
    Friday, October 20, 2017 5:47 AM

Answers

All replies

  • I think you have forgot to run Set-AdfsSslCertificate -Thumbprint <thumbprint>

    Here are some good articles that might give you more info as well:
    https://blogs.technet.microsoft.com/pie/2015/11/25/script-to-update-the-service-communications-ssl-certificate/
    https://blogs.technet.microsoft.com/rmilne/2016/03/21/updating-windows-server-2012-r2-adfs-ssl-and-service-certificates/

    Friday, October 20, 2017 6:31 AM
  • Thanks for your reply, Jorrk!

    I run the the Set-AdfsSslCertificate -Thumbprint <thumbprint> locally on my AD FS Server and get a winRM error message:

    PS > Set-AdfsSslCertificate -Thumbprint $fingerprint
    Set-AdfsSslCertificate : PS0319: Validation task 'Test-_InternalAdfsSslCertificate' on AD FS server 'localhost' 
    failed with error 'Connecting to remote server localhost failed with the following error message : WinRM cannot 
    process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An 
    unknown security error occurred.  
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or 
    use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more 
    information, see the about_Remote_Troubleshooting Help topic.'.
    At line:1 char:1
    + Set-AdfsSslCertificate -Thumbprint $fingerprintComm
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Set-AdfsSslCertificate], RemoteException
        + FullyQualifiedErrorId : RuntimeException,Microsoft.IdentityServer.Management.Commands.SetSslCertificateCommand
     

    I don't use "Enter-PSSession" or something like that, those commands an run locally in Powershell ISE.

    Does the AD FS Server internally try to run commands on remote server?

    Friday, October 20, 2017 7:01 AM
  • I have no clue what you were trying to run to get the remote error in PowerShell.

    When you are at the ADFS-server, either locally logged on via RDP or via PS-remoting just open PowerShell as an administrator and run this cmdlet "Set-AdfsSslCertificate -thumbprint <yourThumbprintOfSSLCert>


    Friday, October 20, 2017 8:27 AM
  • Back in ADFS 2012 R2, the Set-ADFSSSlCertificate has to be run on each node. Often resulting on situation where the customer was just updating his primary node and not the others.

    In ADFS 2016, the Set-ADFSSslCertificate has to be ran only once. Then in the background, it ss connecting to all the nodes of the farm to using WinRM to change the cert locally. So even if you have only one node, it will try to open a local session through WinRM. In other words, you need to enable WinRM. If it is not the case on your server, you can run:

    wimrm qc

    And try again.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 20, 2017 2:06 PM
  • Thanks for your reply. 

    I already tried to run "winRM qc" but I still get this error

    PS C:\Users\administrator.EXAMPLE> winrm qc
    WinRM service is already running on this machine.
    WinRM is already set up for remote management on this computer.
    
    PS C:\Users\administrator.EXAMPLE> Set-AdfsSslCertificate -Thumbprint $fingerprintComm
    Set-AdfsSslCertificate : PS0319: Validation task 'Test-_InternalAdfsSslCertificate' on AD FS server 'localhost' failed with error 
    'Connecting to remote server localhost failed with the following error message : WinRM cannot process the request. The following 
    error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.  
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS 
    transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the 
    about_Remote_Troubleshooting Help topic.'.
    At line:1 char:1
    + Set-AdfsSslCertificate -Thumbprint $fingerprintComm
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Set-AdfsSslCertificate], RemoteException
        + FullyQualifiedErrorId : RuntimeException,Microsoft.IdentityServer.Management.Commands.SetSslCertificateCommand

    I realized that I get the same error after running "Enter-PSSession localhost".
    • Edited by 1.FreddyD Monday, October 23, 2017 5:38 AM
    Monday, October 23, 2017 5:11 AM
  • Solved it by running the following commands :

      setspn -D HTTP/SERVERNAME <domain account>
      setspn -D HTTP/SERVERNAME.DOMAINAME.COM <domain account>


    Found it here:

    enterpssession-winrm-cannot-process-the-request-kerberos-authentication-error

    It was a gMSA Account which was registered to the server's SPN. After this I registered this account again to the server's SPN via ADUC Attribut Editor.

    • Marked as answer by 1.FreddyD Wednesday, October 25, 2017 7:02 AM
    Wednesday, October 25, 2017 7:02 AM