ADFS and WAPSSL Administration

Introduction

Active Directory Federation Services (ADFS) acts as a single sign-on across organisations and systems, and enables you to use your own Active Directory login to access resources outside your own organisation.

Web Application Proxy (WAP) is a service on the Remote Access server which gives access to the internal web applications while the client is on an external network, and it uses ADFS to validate the login.

It is easier to have the certificate in .PFX format as the certificate needs to be installed on multiple servers.

Du can get the certificate in .PFX format either by using out CSR-service, or by exporting the certificate to .PFX backup from the MMC console once it is installed.

Start by Installing the certificate on all the servers, both the ADFS and WAP servers.

The follow Installation on ADFS

Finally follow Installation on WAP

Exporting the certificate to .PFX backup

1. Login to the server with an administrator account.

2. Press windows key + r

Enter mmc.exe

Press OK.

3. Under File click Add/Remove Snap-in.

4. Select Certificates.

Click Add.

5. Select Computer account.

Click Next.

6. Select Local computer.

Click Finish.

7. Expand the folder tree until Certificates becomes visible under Personal and select it.

Right click the certificate you wish to export.

Select All Tasks.

Click Export.

8. Select Yes, export the private key.

Click Next.

9. Select Personal Information Exchage - PKCS #12 (.PFX).

Click Next.

10. Flag Password: and enter a password to protect the .PFX file with (remember to store the password in a safe location).

Click Next.

11. Select a place to export the .PFX file to, and give it a name so it's easy to remember what it is for.

Click Next.

Click Finish.

Installation of certificate via import of .PFX file

1. Login to the server with an administrator account.

Save the received .PFX file in a location where it's easy to find e.g. the desktop.

2. Press windows key + r

Enter mmc.exe

Click OK.

3. Under File klik på Add/Remove Snap-in.

4. Select Certificates.

Click Add.

5. Select Computer account.

Click Next.

6. Select Local computer.

Click Finish.

7. Expand the folder tree until Personal becomes visible.

Right click Personal.

Select All Tasks.

Click Import.

8. Click Browse and find the location where you have saved the .PFX file.

9. Change the format to Personal Information Exchange (*..PFX;*.p12) in the bottom right corner and select the correct file.

Click Open.

Click Next.

10. If the file is protected by a password (default) you will be prompted to type it in here.

If you have used CSR-service the password will be the code you received through SMS.

Click Next.

11. Select Automatically select the certificate store based on the type of certificate.

Click Next.

Click Finish.

Installation on ADFS

1. Login to the primary ADFS server with an administrator account.

2. Open Powershell as administrator.

3. Run the following command to see all installed certificates:

dir Cert:\LocalMachine\My\

4. Run the following command to use the new certificate:

Set-AdfsSslCertificate -Thumbprint

5. Run the following command to see if the certificate has been applied correctly:

Get-AdfsSslCertificate

6. If the ADFS servers are 2016 or later the primary will automatically apply the change to the secondary servers, if it is a server 2012 step 1 through 5 needs to be performed on every secondary server individually.

Installation on WAP

1. Login to the WAP server with an administrator account.

2. Open Powershell as administrator

3. Run the following command to use the new certificate:

Set-WebApplicationProxySslCertificate -Thumbprint

4. Run the following command to see if the certificate has been applied correctly:

Get-WebApplicationProxySslCertificate

5. Step 1 through 5 needs to be repeated on all WAP servers.