Service communications certificate not found in store

Question

I was having some problems with the original SSL Certificate that I created and bound to IIS, therefore, I deleted it and re-created it.

However, I had earlier used the certificate while configuring the ADFS 2.0 service and now when I look under the Certificates area for Service communications, I see the error message "Certificate not found in store" beneath the Service communications heading.

Now that I have installed the new certificate, I want to set the new Service communications certificate, however, when I click on the option for "Set Service Communications Certificate", I get the following error message "The certificate could not be processed.  Error message: Object reference not set to an instance of an object."

Is there a way for me to set the new Service Communications certificate for ADFS either through the UI or through a PowerShell command?  I have already configured everything in SharePoint to work with my ADFS Server, so I would hate to have to start all over from scratch again.

Please advise.

Answer 1

Yes - you can using PowerShell - see the overview here.

You need something like:

Add-ADFSCertificate -CertificateType "Service-Communications" -Thumbprint ‎fedd995b45e...   
Full description here                     

Answer 2

This is the error message that I get when I attempt to run this command:

Add-ADFSCertificate : Cannot validate argument on parameter 'CertificateType'. The argument "Service-Communications" does not belong to the set
 "Token-Decrypting,Token-Signing" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.

Any other ideas?

Answer 3

Hello!

I also recently encountered with this problem. The only thing that helped me is reinstalling ADFS service (Uninstall from Server, restart, Install again). I have set up ADFS again, and only after this certificate has appeared.

---

Dmitry

Answer 4

I can confirm that the above is correct (" ... The only thing that helped me is reinstalling ADFS service (Uninstall from Server, restart, Install again). I have set up ADFS again, and only after this certificate has appeared.).

I have tried before the option with the Powershell command as I simply wanted to avoid the extra time to demolish the AD FS 2.0 installation but it simply did not work (same error message as above). Last but not least I decided to uninstall AD FS 2.0 - it was done so fast - no comparison to the amount of time I've spent before trying to get it fixed.

So - don't hesitate and simply take the easier approach - it's definitely worth!

Answer 5

To add the certificate, first make sure the certificate is installed in the  certificate store for the computer account and that it has a private key. Right-click the cert, All Tasks> Manage Private keys and make sure that the ADFS service account has read permission to the private key.

Open the certificate and copy the thumprint

Now open an elevated powershell console (run as administrator) and run the following commands:

Add-PsSnapin Microsoft.Adfs.PowerShell
Set-AdfsCertificate -CertificateType "Service-Communications" -Thumbprint "aabbccdd ..."

Replace "aa bb cc dd ..." above with the thumbprint from your own certificate

Finally, restart the ADFS 2.0 service.

Answer 6

To add the certificate, first make sure the certificate is installed in the  certificate store for the computer account and that it has a private key. Right-click the cert, All Tasks> Manage Private keys and make sure that the ADFS service account has read permission to the private key.

Open the certificate and copy the thumprint

Now open an elevated powershell console (run as administrator) and run the following commands:

Add-PsSnapin Microsoft.Adfs.PowerShell
Set-AdfsCertificate -CertificateType "Service-Communications" -Thumbprint "aa bb cc dd ..."

Replace "aa bb cc dd ..." above with the thumbprint from your own certificate

Finally, restart the ADFS 2.0 service.

this worked for me, thank you!!!

wally

Answer 7

Worked for me as well. Had to take the spaces out of the thumbprint.

Answer 8

This doesn't work because the error says that the "Service-Communications" certificate Type is not a valid option; you can only specify the Token-decrypting certificate or the Token-signing certificate.

---

it's all very nice when it works

Answer 9

Try:

Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint xxyyzz...

Answer 10

Try:

Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint xxyyzz...

I know that this is a month old and marked as answered, but for the sake of having this searchable and documented, I used this approach and it worked.

I added the new cert to the server, then used set-adfscertificate as described for the Service-Communications cert, but I had to add -IsPrimary to get it to work.

For the other two cert types, Token-Decrypting and Token-Signing, I used the Add-ADFSCertificate command.  At that point, I could go in the management console and just remove the old, non-functional certificate references.

I hope that helps someone, one day.  Thanks nzpcmad1!