Set-AdfsSslCertificate Socket Error RRS feed

  • Question

  • Over many years with many cert replacements this has never been a problem.  All of a sudden I'm getting this odd socket connection error.  I ran my usual commands to replace the cert:

    Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint ******

    Updated fine.  New cert is displayed in ADFS Manager.

    Set-AdfsSslCertificate -Thumbprint ******

    Set-AdfsSslCertificate : The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an
    underlying network resource issue. Local socket timeout was '00:01:00'.
    At line:1 char:1
    + Set-AdfsSslCertificate -Thumbprint ****** ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Set-AdfsSslCertificate], CommunicationException
        + FullyQualifiedErrorId : System.ServiceModel.CommunicationException,Microsoft.IdentityServer.Management.Commands.SetSslCertificateCommand

    Commands are being run on my one and only ADFS server.  SRV2016.

    The only hint I could find on the internet was to make sure WinRM was up and running and it is.  I'm at a loss here.  I'd appreciate any help someone could give me.

    SPN info for physical machine:

    Registered ServicePrincipalNames for CN=WEB,OU=Servers,DC=******,DC=com:

    SPN info for managed ADFS account:

    Registered ServicePrincipalNames for CN=ADFS,CN=Managed Service Accounts,DC=******,DC=com:
    • Edited by JEmlay Thursday, July 11, 2019 4:53 PM
    Thursday, July 11, 2019 4:46 PM

All replies

  • Is that second command needed anymore?

    When I run netsh http show sslcert, everything has the correct thumbprint.

    When  I run Get-AdfsSslCertificate, all 3 certs show the correct thumbprint.

    Thursday, July 11, 2019 6:21 PM
  • Yes both are needed. But the second might have just work fine in your case.

    My guess is that you used to have a second ADFS server in your farm. Starting ADFS 2016 the Set-ADFSSslCertificate is trying to reach each node to change the binding on all nodes (back in 2012 R2 the command Set-ADFSSslCertificate had to be executed on each nodes and often lead to confusion).

    Run Get-AdfsFarmInformation to check if you have a lingering member and remove it with Set-AdfsFarmInformation -RemoveNode.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, July 12, 2019 12:39 PM