As you already know AD FS since W2012 R2 is not dependent from IIS anymore. IIS is running at top of HTTP.sys so configuration is a little different than with earlier operating systems.
If SSL certificate needs to be changed following tasks needs to be done:
- Import the new certificate to the Machine’s Personal Store
- Make sure you have a private key that corresponds to this certificate. If not, go to the PC you requested the certificate on, export it from there and make sure to include the private key.
- Assign the proper permissions to the Private Key for the ADFS Managed Service Account:
Make sure to select “Service Accounts” in when searching for the account if using gMSA account as service account
If you are not using service account verify that „read“ access for the ADFS service account was granted on the certificate. Open „certlm.msc“, select the new SSL certificate and select „All Tasks / Manage private keys“.
Since this is a „Virtual Account“ we can see „NT SERVICE\adfssrv“ should have read access.
Open AD FS management and go to Certificates and select “Set Service Communication Certificate”
Prompt will open and you can select certificate. If you don’t see the new certificate in the list of available certificates
- you either don’t have the private key that corresponds to this certificate
- you didn’t import the cert correctly
Run:
Set-AdfsSslCertificate -Thumbprint <your certificate thumbprint>Restart ADFS service
Confirm change Get-AdfsSslCertificate command. All ADFS servers should have new certificate (thumbprint)
NOTE! Set-ADFSSslCertificate command needs to be run only on the primary ADFS server
Web Application Proxy (WAP)
Copy and import the new certificate to the Web Application Proxy/Proxies to Machine personal store
Switch the certificate on the Web Application Proxy, and place certificate with “Install-WebapplicationProxy or “Set-WebApplicationProxySslCertificate” cmdlets
Install-WebApplicationProxy -FederationServiceName “you federation service name” -CertificateThumbprint “thumbprint“Set-WebApplicationProxySslCertificate -Thumbprint “thumbprint"NOTE! Do this on all of yout WAP servers!!