Windows 10: Cannot Replace Existing ADFS Communications Cert

I'm currently trying to replace my soon to expire ADFS communication cert with the Powershell commandSet-Adfssslcertificate and using a thumbprint from a cert that's already been installed on the server. However I keep getting this error.The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'.I haven't been able to find anything helpful in event viewer. It just stops the service right after I run the command and I have to manua

:)

 

ADFS and renew Service-Communication certificat

My Problem is to renew the Service Communication Cert

I use adfs 3.0

language german

I already did that:

1. install the new cert under my computer with privat key and set full rights for the serviceaccount of adfs
2. execute Set-AdfsCertificate -CertificateType "Service-Communications" -Thumbprint
   1. I get the Error:
   et-AdfsCertificate : PS0022: Es wurde kein Zertifikat für den Verweis mit StoreName "My", StoreLocation "LocalMachine", FindType
   
   "FindByThumbprint" und FindValue
3. i reboot the System --> no success
4. i refer the thumbprint --> is correct
5. the cert is also on the correct store

any ideas?

 

SHA1 to SHA256 - Existing certs

Hi there,

I am working on a migration of our Win2K8 workloads and one of these is our CA. I have seen lots of great KB articles about migrating from SHA1/ CSP to SHA2556 (KSP), but what I am not sure about is what happens to existing certs such as those issues to
domain workstations/ servers, local web servers, services, etc.

My plan is to spin up a new Win2K16 box, import the CA functions to this and upgrade to KSP but some of the questions I have around this are:

1. Will this impact these existing services, etc?
2. Is there a way to determine all the workloads that have been issued or are using a cert from the current CA?
3. Can I run two CAs side by side for a phased migration?

 

Recommendation: Load balancer for ADFS environment?

We want to put in ADFS for our current network to support about 30K authenticated users, currently to start off just for sharepoint application, but potentially will support other application/ users as well.

Looking for recommendation on whether we should go with virtual or hardware based Load Balancer, and
which vendor of LB that people tend to adopt for their ADFS and WAP servers? Imagine we'll need to get the LB that can support Layer 7

Here is how we are currently spec'ed out so far:

• 2 WAP servers (Win2016) sit behind a LB and all on DMZ
• 2 ADFS servers (Win2016) sit behind another LB and all on Internal network
• DC server is on Internal network as well

----

Can anyone explain how the traffic/federation process goes (step by step) when user access the website from the internet (please include how request is being passed/redirect between webserver, WAP, ADFS, and DC servers)

Thanks!