Hi,
I’ve used Certifytheweb on several IIS webservers and it works great. Now I’d like to use it on my ADFS server. It’s still running on a Windows Server 2012 R2 so ADFS is not based on IIS. Still I’ve installed IIS on this machine, so I could use Certifytheweb and get a new SSL certificate installed in IIS.
However that’s not the end of the procedure since it also requires the configuration of the certificate in ADFS itself via Powershell. You need to find the thumbprint of the new certificate and then run the following command : Set-AdfsSslCertificate -Thumbprint xxxxx…
I’d like to automate these last steps so that the renewal procedure becomes completely automated, starting with Certifytheweb requesting a new certificate on expiry, and a running a script that finds the thumbprint and setting it in adfs.
By default we pass in a parameter to your script which is an object containing useful information like the certificate path, thumbprint etc. So it sounds like you would need:
param($result)
# set certificate thumbprint for Adfs
Set-AdfsSslCertificate -Thumbprint $result.ManagedItem.CertificateThumbprintHash
You don’t strictly need IIS installed as Certify The Web has a built in http-challenge server which will temporarily bind to port 80 listening for /.well-known/acme-challenge/ requests during validation.
Hi Christopher,
Thanks for the reply. Setting up a PowerShell script likely make it work.
However I came across another challenge with ADFS server : it intercepts all http and https requests to the ADFS logon page that we put it place. So the Certifytheweb client cannot validate by using http, because it cannot connect to the IIS default website where the challenge file is created. Also the built in http-challenge server doesn’t help to correct the problem either : all validation request get redirected to ADFS.
Do you know how to make this work ?
Thanks
Joeri
Sorry I don’t really know anything about ADFS or how it is configured.
As you say the built in http challenge server should solve the problem without needing IIS, unless it’s prevented from doing so (i.e. something else that doesn’t use http.sys like apache or nginx is consuming port 80, or ADFS has it’s own http listener that is consuming all requests).
If it’s too difficult to get http validation working you can switch to DNS validation (under Authorization), ither using a supported DNS API or by scripting the API updates yourself (https://docs.certifytheweb.com/docs/dns-scripting.html)
When the script runs it will run as Local System ( the background service user) so that may(?) be affecting the ability to run the Adfs command, the other possibility is that you may need your script to import a module before running the command. You mentioned that the command is not executed, but presumably you don’t get an error which implies that it is getting executed but it’s not doing anything (or you have to restart the server for it to take effect?).
I had another look at this problem and in the CertifyTheWeb logs there is following message : Set-AdfsCertificate: The specified directory service attribute or value does not exist.
However when I run the command manually it works. I found other similar scripts on Google that use the same commands to change the adfs certificate. No import modules or Add-PSSnapIn is used in those scripts, so that confirms that I haven’t forgotten anything to include.
So it must be that is runs with Local System, which doesn’t seem to have the ability to run Set-AdfsCertificate. I’m quite new to PowerShell so can you tell me how I can run this script with local admin rights ?
Thanks
I had exactly the same problem / " value does not exist" error message above - because CertifyTheWeb indeed runs as LocalSystem it won’t let you run the powershell command.
I did try changing the Certify service to run as a Domain Administrator but this also caused problems.
To fix I did the following:
Certify runs the following powershell post script: