So, how I fixed it (in my mythical alsheppard.com domain).
- In the AD FS mmc tool, on the right is the "Edit Federation Service Properties" and change the FS name and identifier.
- Add the new DNS name sts.alsheppard.com to point to the same IP address as the fs.alsheppard.com
- Update the certificate that it uses. Powershell and run "Update-ADFSCertificate". This will generate the new token-decrypting certificate and token-signing certificate that you can see in the MMC (under AD FS -> Service -> Certificates). The fs.alsheppard.com certificate is still the primary.
- In the gui, notice that you can't change the primary and secondary around yet. In the powershell, run "set-ADFSProperties -AutoCertificateRollover $false".
- In the gui again, change the new sts.alsheppard.com to be the primary and delete the old fs.alsheppard.com certificates in both sections.
- In powershell, run "set-ADFSProperties -AutoCertificateRollover $true"
- In ADUC, change the SPN value on the ADFS farm service account from "host/fs.alsheppard.com" to "host/sts.alsheppard.com"
- In the Powershell again, type "get-ADFSSslCertificate" and this should show three certificates, two for the fs.alsheppard.com hostname and one for localhost. Copy the CertificateHash and use it here "set-ADFSSslCertificate -thumbprint <CertificateHash>. Run the get-ADFSslCertificate again and there should be 5 certificates now, one for localhost, two for the old name and two for the new name. This must be done on each server in the farm.
- In the mmc, change the Device Registration Service identifier too (AD FS -> Trust Relationships -> Relying Party Trusts).
- Restart the ADFS service.
In hindsight, deleting the farm, wiping the farm server and restarting from scratch would have been about as easy.
Edited 20150908 to change the set-ADFSProperties certificate rollover, thanks anonymous commenter!
good one thanks. almost everything did it myself as described to rename, but just forgot about Device Registration Service identifier and certificates on secondary adfs server.
ReplyDeleteThanks a lot , this was very helpful ..life saver
ReplyDeleteThanks for the article. It helped me in a similar situation.
ReplyDeleteIf you don't mind, I would like to suggest a minor change. The parameter name to disable/enable switching the primary and secondary certificates is actually called AutoCertificateRollover. So the correct commands are:
set-ADFSProperties -AutoCertificateRollover $false
set-ADFSProperties -AutoCertificateRollover $true
Best regards.
Great stuff! At the very end, we have to update the trust with the following command (we were getting SAML token is invalid message).
ReplyDeleteUpdate-MsolFederatedDomain -DomainName [verified domain]
Thank you, very thorough, got me out of a pinch ;)
ReplyDeleteGreat article.... Had the same issue in that we had to use the Update-MsolFederatedDomain -DomainName command at the end. More information about updating ADFS certificates can be found at the following link.
ReplyDeletehttps://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-o365-certs
Thanks, Al. Appreciate this very much. Todd Shelton
ReplyDeleteJust to thank you for taking the time to write this article and share it with us and also add that I had to update the IdTokenIssuer parameter on a Win 2016 ADFS server in a set up with Azure MFA server.
ReplyDeleteAll worked for me except for one missing step at the end to change the Service certificate across to the new one: Set-AdfsCertificate -CertificateType Service-Communications –Thumbprint XXXXXXX
ReplyDeleteThank you for wrting this up Al.
ReplyDeleteChange in Federation Service Properties is not updating IdTokenIssuer property (?exists in ADFS 2016 and newer). Use PS command Set-AdfsProperties -IdTokenIssuer ...
ReplyDeleteOld name SSL bindings should be deleted using command
netsh http delete sslcert hostnameport=...
+reconfiguring ADFS Web Application Proxies and Relying Parties
https://tristanwatkins.com/changing-adfs-url-windows-server-2012-r2/