Part 3 – Update Active Directory Federation Services 3.0 & Web Application Proxy (SSL) certificates

This blog series is explained how updating Active Directory Federation Service (ADFS) and Web Application Proxy (WAP) certificates. In part 1 we covered the update process of ADFS certificates.  In part 2 we covered the proces of updating Web Application Proxy (WAP) certificates.

In the last part, part 3 we’ll cover the proces of updating Web Application Proxy application certificates. Here you can read how.

  • First, you‘ve to import the new certificate into the Computer’s Personal store. When using WAP in a NLB configuration the certificate must be installed on all nodes within this NLB cluster
  • Next, you’ll need the thumbprint of that certificate. Sure, you could copy it from the certificate details in the GUI, and delete all the spaces and convert all the letters to uppercase, but, since we’re going to need to be PowerShell anyway, we might as well use it to get the info we need:

Get-ChildItem -Path cert:\LocalMachine\My\ | select Subject, FriendlyName, Thumbprint | Format-List

  • You should get a nice, easy to read, list of the certs in the Computer’s Personal store. If the Subject or Friendly name are appropriately descriptive you should be find your cert. Copy the conveniently formatted Thumbprint

image

  • Next step is to figure out the application name of which the certificate(s) must be updated. This may very the numer of published applications and the associated type of certificate(s) (single name, multi-domain (UCC) or wildcard) used. You may use a dedicated single name certificate for a dedicated web application or a multi-domain/wildcard certificate for multiple published applications.

image

Get-WebApplicationProxyApplication

image

  • When indentified the published web application – in this example NDES – verify the current mapped certificate to the NDES published web application

Get-WebApplicationProxyApplication | Where-Object {$_.Name -like “NDES”} | fl

image

  • Next step is updating the mapped certificate to the NDES web application

Get-WebApplicationProxyApplication | Where-Object {$_.Name -like “NDES”} | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint FF2D1093C4ACD54583C6DC6AF722C54718AF7E24

  • Verify if the new certificate including the new ExternalCertificateThumbprint

Get-WebApplicationProxyApplication | Where-Object {$_.Name -like “NDES”} | fl

image

Publish web applications with PowerShell

  • As mentioned before the Web Application Proxy (WAP) has a limited GUI in order to perform operational tasks like publishing/removing web applications. As always PowerShell is at your service …this time by a Web Application Proxy module including 12 commands

image

  • Publishing a web application can easily done by using the following example command

#Publish Web Application using Passthrough Authentication
$WAPAppName = “<Web Application Name>”
$ExternalURL =
https://blog.scug.nl
$BackEndServerURL =
https://blog.scug.nl
$cert = “<Certificate Thumbprint>”

Add-WebApplicationProxyApplication -Name $WAPAppName -ExternalURL $ExternalURL -ExternalCertificateThumbprint $cert -BackendServerUrl $BackEndServerURL -ExternalPreauthentication PassThrough -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -ADFSRelyingPartyName  –UseOAuthAuthentication

#Publish Web Application using ADFS Pre-Authentication
$WAPAppName = “<Web Application Name>”
$ExternalURL =
https://blog.scug.nl
$BackEndServerURL =
https://blog.scug.nl
$cert = “<Certificate Thumbprint>”
$RP= “<Relying Party Name>”

Add-WebApplicationProxyApplication -Name $WAPAppName -ExternalURL $ExternalURL -ExternalCertificateThumbprint $cert -BackendServerUrl $BackEndServerURL -ExternalPreauthentication ADFS  -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -ADFSRelyingPartyName $rp –UseOAuthAuthentication

It's only fair to share...Tweet about this on TwitterShare on LinkedIn0Share on Google+0Share on Facebook0