Wednesday, 23 July 2014

Changing the Federation Service name in ADFS 3.0

I was configuring a Windows Server 2012 R2 server with ADFS to talk to Office 365 and set it up with the wrong name (fs.alsheppard.com) instead of the desired sts.alsheppard.com. Easy I thought, I'll just go and change it in the ADFS config and test it. Nope, that didn't work. Ok, I'll Google it. Nope, NOTHING about changing the Federation Service name in ADFS 3.0 (as at March 2014).

So, how I fixed it (in my mythical alsheppard.com domain).

  • In the AD FS mmc tool, on the right is the "Edit Federation Service Properties" and change the FS name and identifier.
  • Add the new DNS name sts.alsheppard.com to point to the same IP address as the fs.alsheppard.com
  • Update the certificate that it uses. Powershell and run "Update-ADFSCertificate". This will generate the new token-decrypting certificate and token-signing certificate that you can see in the MMC (under AD FS -> Service -> Certificates). The fs.alsheppard.com certificate is still the primary.
  • In the gui, notice that you can't change the primary and secondary around yet. In the powershell, run "set-ADFSProperties -AutoCertificateRollover $false".
  • In the gui again, change the new sts.alsheppard.com to be the primary and delete the old fs.alsheppard.com certificates in both sections.
  • In powershell, run "set-ADFSProperties -AutoCertificateRollover $true"
  • In ADUC, change the SPN value on the ADFS farm service account from "host/fs.alsheppard.com" to "host/sts.alsheppard.com"
  • In the Powershell again, type "get-ADFSSslCertificate" and this should show three certificates, two for the fs.alsheppard.com hostname and one for localhost. Copy the CertificateHash and use it here "set-ADFSSslCertificate -thumbprint <CertificateHash>. Run the get-ADFSslCertificate again and there should be 5 certificates now, one for localhost, two for the old name and two for the new name. This must be done on each server in the farm.
  • In the mmc, change the Device Registration Service identifier too (AD FS -> Trust Relationships -> Relying Party Trusts).
  • Restart the ADFS service.
That should be about it. Test it by going to "https://sts.alsheppard.com/adfs/ls/idpinitiatedsignon" and seeing if you can log in. If not, check that the ADFS farm service account has read rights to the user account you are trying.

In hindsight, deleting the farm, wiping the farm server and restarting from scratch would have been about as easy.

Edited  20150908 to change the set-ADFSProperties certificate rollover, thanks anonymous commenter!

11 comments:

  1. good one thanks. almost everything did it myself as described to rename, but just forgot about Device Registration Service identifier and certificates on secondary adfs server.

    ReplyDelete
  2. Thanks a lot , this was very helpful ..life saver

    ReplyDelete
  3. Thanks for the article. It helped me in a similar situation.
    If you don't mind, I would like to suggest a minor change. The parameter name to disable/enable switching the primary and secondary certificates is actually called AutoCertificateRollover. So the correct commands are:
    set-ADFSProperties -AutoCertificateRollover $false
    set-ADFSProperties -AutoCertificateRollover $true

    Best regards.

    ReplyDelete
  4. Great stuff! At the very end, we have to update the trust with the following command (we were getting SAML token is invalid message).
    Update-MsolFederatedDomain -DomainName [verified domain]

    ReplyDelete
  5. Thank you, very thorough, got me out of a pinch ;)

    ReplyDelete
  6. Great article.... Had the same issue in that we had to use the Update-MsolFederatedDomain -DomainName command at the end. More information about updating ADFS certificates can be found at the following link.

    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-o365-certs

    ReplyDelete
  7. Thanks, Al. Appreciate this very much. Todd Shelton

    ReplyDelete
  8. Just to thank you for taking the time to write this article and share it with us and also add that I had to update the IdTokenIssuer parameter on a Win 2016 ADFS server in a set up with Azure MFA server.

    ReplyDelete
  9. All worked for me except for one missing step at the end to change the Service certificate across to the new one: Set-AdfsCertificate -CertificateType Service-Communications –Thumbprint XXXXXXX

    ReplyDelete
  10. Thank you for wrting this up Al.

    ReplyDelete
  11. Change in Federation Service Properties is not updating IdTokenIssuer property (?exists in ADFS 2016 and newer). Use PS command Set-AdfsProperties -IdTokenIssuer ...

    Old name SSL bindings should be deleted using command
    netsh http delete sslcert hostnameport=...
    +reconfiguring ADFS Web Application Proxies and Relying Parties

    https://tristanwatkins.com/changing-adfs-url-windows-server-2012-r2/

    ReplyDelete