Azure series configuration management AD FS (PART1)

How to update the certificate AD FS

Active Directory Federation Services (AD FS) 3.0 is included in Windows Server 2012 R2 server roles.

Active Directory Federation Services (AD FS) 4.0 is included in Windows Server 2016 server roles.

Joint use of server certificates

Each federation server must have a server authentication certificate and a token-signing certificate before it can participate in AD FS communications. Trust policy requires an associated certificate, known as a verification certificate, which is part of the public key token-signing certificate.

Server authentication certificate

The federation server uses Secure Sockets Layer (SSL) server authentication certificates to secure Web services traffic to the Web client or the federation server proxy to communicate. Snap request and install these certificates through the Internet Information Services (IIS).

Token-signing certificate

Each federation server to use all of its token-signing certificate security tokens generated by digital signature. Because each security token is digitally signed by the account partner, the resource partner so you can verify that the security token is actually issued by the account partner, and has not been modified. This helps to prevent or modify *** forged security tokens to gain unauthorized access to resources. If more than one federation server is present, the account partner will also use digital signatures on security tokens. In this case, the digital signature will verify the source and integrity issued by other federation servers in the account partner security token. Digital signature has been verified by verifying the certificate.

Alternatively SSL certificate server farm AD FS

Typically, SSL certificates AD FS farm from a trusted third party CA, e.g. DigiCert or Verisign. This is the traditional SSL certificates, like the IIS Web server that you will use it for any security of the same. To do this, you can use a single name, Subject Alternative Name (SAN) or a wildcard certificate, as long as it is an internal and external customers effective and AD FS can be trusted by its end. You can here find more information about the certificate requirements.

You can now use Azure AD Connect tool to update the Active Directory Federation Services (AD FS) SSL certificate server farm. AD Connect is the preferred method to change the SSL certificate.

You can use three simple steps in all the federation and Web application proxy (WAP) to perform the entire operation to update the SSL certificate for AD FS server farm on the server:

1. ADFS provides field information

2. Provide new SSL certificate

3. Select the server to be updated

prerequisites

• AD FS farm: Make sure your AD FS server farm based versions of Windows Server 2012 R2 or later.

• Azure AD Connect: ensure that Azure AD Connect version to version 1.1.553.0 or later. You will use the task Update AD FS SSL Certificates

Step 1: the information providing server farm AD FS

Azure AD Connect automatically attempt to obtain information about AD FS server farm in the following ways:

1. AD FS query from farm information (Windows Server version 2016 or later).

2. Previously run the reference information, the information is stored together with Azure AD Connect locally.

You can modify the list displays the server by adding or removing servers to reflect AD FS farm's current configuration. After the information providing server, Azure AD Connect and displays the current connection state of the SSL certificate.

If the server is no longer included in the list of AD FS server farm belongs to, click "Remove" to remove the server from the server list AD FS farm in.

Note - To remove a server from the server list AD FS field in Azure AD Connect is a local operation, and updates the information field of AD FS Azure AD Connect locally maintained. Azure AD Connect will not change the configuration on AD FS to reflect the change.

Step 2: Provide new SSL certificate

After confirming the information on AD FS server farm, Azure AD Connect request a new SSL certificate. It provides password-protected PFX certificate to continue the installation.

After a certificate, Azure AD Connect will meet a series of preconditions. Verification certificate to ensure that the certificate for AD FS farm is correct:

• Theme name of the certificate / alternative subject name and the same Federation Service name, or a wildcard certificate.

• The certificate is valid for more than 30 days.

• Certificate trust chain is valid.

• Certificate is password protected.

Step 3: Select the server to be updated

In the next step, select the server to update the SSL certificate. You can not select an offsite server to be updated.

Once configured, Azure AD Connect message indicating the update status of the display, and provides options for AD FS login authentication.

• Tip: Use DigiCert SSL installation diagnostic tool    to confirm that the certificate and any intermediate certificates are properly installed. This tool can be used with any third-party CA certificate, and not just DigiCert's.

Azure series configuration management AD FS (PART2)