Tag Archives: ADFS

Steps for Renewing ADFS 3.0 Certificate

The following steps should be performed when the SSL certificate on your ADFS Server is close to expiring…

Preliminary Steps

  1. Make sure you know the username and password for the main domain.onmicrosoft.com Administrator account.
  2. Install the new certificate on the ADFS Server.  If you have a primary and secondary ADFS Server, make sure to install the certificate on both servers.

PowerShell Commands

  1. Launch the standard “blue” PowerShell on the ADFS Server as an Administrator.
  2. Run “Get-ChildItem -path cert:\LocalMachine\My” to determine the Certificate Thumbprint.  Make a note of the thumbprint value.
  3. Run “Set-AdfsSslCertificate -Thumbprint Thumbprint” where Thumbprint is the value from Step 2.
  4. Run “Update-AdfsCertificate –Urgent”.
  5. Run “Connect-MsolService” and enter your Office 365 credentials from Step 1 in the Preliminary Steps section.
  6. Run “Update-MsolFederatedDomain -DomainName “domain.com”” where domain.com is the appropriate domain name. Note you may need to add the “-SupportMultipleDomain” if you have multiple federated domains.

Restart Services

  1. Restart the “Active Directory Federation Service” service.


  1. Attempt to login with an ADFS account and verify the certificate warning is gone.

Reset ADFS IIS Permissions

If you receive the error “Not Authorized: HTTP Error 401. The requested resource requires user authentication” when trying to connect to your ADFS Server from inside the network here’s what you need to do to reset permissions in IIS…

  1. Launch the IIS Management Console and browse to Default Website
  2. Disable all Authentication options for the Default Web Site as well as the ADFS and LS Virtual Directories
  3. Enable Windows Authentication on the Default Web Site.  Set Extended Protection to “Accept”
  4. Enable Anonymous Authentication on the ADFS Virtual Directory
  5. Enable Windows Authentication on the LS Virtual Directory.  Set Extended Protection to “Accept”
  6. Run an IISRESET

To setup your browser to automatically authenticate you while connected to the internal network do the following…

  1. Open Internet Options in IE and click on the Security tab
  2. Click Local Intranet
  3. Click Custom
  4. Under the User Authentication section enable “Automatic logon with current user name and password”
  5. Click on the Advanced tab
  6. Under the Security section enable “Enable Integrated Windows Authentication”

More information on this can be found at the following Office 365 Forum post…