locked
Service communications certificate not found in store

    Question

  • I was having some problems with the original SSL Certificate that I created and bound to IIS, therefore, I deleted it and re-created it.

    However, I had earlier used the certificate while configuring the ADFS 2.0 service and now when I look under the Certificates area for Service communications, I see the error message "Certificate not found in store" beneath the Service communications heading.

    Now that I have installed the new certificate, I want to set the new Service communications certificate, however, when I click on the option for "Set Service Communications Certificate", I get the following error message "The certificate could not be processed.  Error message: Object reference not set to an instance of an object."

    Is there a way for me to set the new Service Communications certificate for ADFS either through the UI or through a PowerShell command?  I have already configured everything in SharePoint to work with my ADFS Server, so I would hate to have to start all over from scratch again.

    Please advise.

    Thursday, June 28, 2012 10:33 PM

Answers

  • Hello!

    I also recently encountered with this problem. The only thing that helped me is reinstalling ADFS service (Uninstall from Server, restart, Install again). I have set up ADFS again, and only after this certificate has appeared.


    Dmitry

    • Marked as answer by vs2015junkie Tuesday, July 10, 2012 7:51 PM
    Thursday, July 05, 2012 10:33 AM

All replies

  • Yes - you can using PowerShell - see the overview here.

    You need something like:

    Add-ADFSCertificate -CertificateType "Service-Communications" -Thumbprint ‎fedd995b45e...   

    Full description here                    

    Friday, June 29, 2012 1:03 AM
  • This is the error message that I get when I attempt to run this command:

    Add-ADFSCertificate : Cannot validate argument on parameter 'CertificateType'. The argument "Service-Communications" does not belong to the set
     "Token-Decrypting,Token-Signing" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.

    Any other ideas?

    Friday, June 29, 2012 12:55 PM
  • Hello!

    I also recently encountered with this problem. The only thing that helped me is reinstalling ADFS service (Uninstall from Server, restart, Install again). I have set up ADFS again, and only after this certificate has appeared.


    Dmitry

    • Marked as answer by vs2015junkie Tuesday, July 10, 2012 7:51 PM
    Thursday, July 05, 2012 10:33 AM
  • I can confirm that the above is correct (" ... The only thing that helped me is reinstalling ADFS service (Uninstall from Server, restart, Install again). I have set up ADFS again, and only after this certificate has appeared.).

    I have tried before the option with the Powershell command as I simply wanted to avoid the extra time to demolish the AD FS 2.0 installation but it simply did not work (same error message as above). Last but not least I decided to uninstall AD FS 2.0 - it was done so fast - no comparison to the amount of time I've spent before trying to get it fixed.

    So - don't hesitate and simply take the easier approach - it's definitely worth!

    Wednesday, December 05, 2012 2:18 PM
  • To add the certificate, first make sure the certificate is installed in the  certificate store for the computer account and that it has a private key. Right-click the cert, All Tasks> Manage Private keys and make sure that the ADFS service account has read permission to the private key.

    Open the certificate and copy the thumprint

    Now open an elevated powershell console (run as administrator) and run the following commands:

    Add-PsSnapin Microsoft.Adfs.PowerShell
    Set-AdfsCertificate -CertificateType "Service-Communications" -Thumbprint "aabbccdd ..."

    Replace "aa bb cc dd ..." above with the thumbprint from your own certificate

    Finally, restart the ADFS 2.0 service.



    • Proposed as answer by Robin Gaal Wednesday, February 06, 2013 8:55 AM
    • Edited by Meyercord Thursday, November 13, 2014 11:05 PM
    Tuesday, January 15, 2013 8:00 PM
  • To add the certificate, first make sure the certificate is installed in the  certificate store for the computer account and that it has a private key. Right-click the cert, All Tasks> Manage Private keys and make sure that the ADFS service account has read permission to the private key.

    Open the certificate and copy the thumprint

    Now open an elevated powershell console (run as administrator) and run the following commands:

    Add-PsSnapin Microsoft.Adfs.PowerShell
    Set-AdfsCertificate -CertificateType "Service-Communications" -Thumbprint "aa bb cc dd ..."

    Replace "aa bb cc dd ..." above with the thumbprint from your own certificate

    Finally, restart the ADFS 2.0 service.


    this worked for me, thank you!!!

    wally

    Friday, December 06, 2013 10:58 PM
  • Worked for me as well. Had to take the spaces out of the thumbprint.
    Friday, January 24, 2014 10:25 PM
  • This doesn't work because the error says that the "Service-Communications" certificate Type is not a valid option; you can only specify the Token-decrypting certificate or the Token-signing certificate.

    it's all very nice when it works

    • Proposed as answer by AdrianoZ Friday, September 05, 2014 6:51 AM
    • Unproposed as answer by AdrianoZ Friday, September 05, 2014 6:51 AM
    Tuesday, July 01, 2014 1:54 PM
  • Try:

    Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint xxyyzz...

    Tuesday, July 01, 2014 7:15 PM
  • Try:

    Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint xxyyzz...

    I know that this is a month old and marked as answered, but for the sake of having this searchable and documented, I used this approach and it worked.

    I added the new cert to the server, then used set-adfscertificate as described for the Service-Communications cert, but I had to add -IsPrimary to get it to work.

    For the other two cert types, Token-Decrypting and Token-Signing, I used the Add-ADFSCertificate command.  At that point, I could go in the management console and just remove the old, non-functional certificate references.

    I hope that helps someone, one day.  Thanks nzpcmad1!

    Monday, July 28, 2014 1:10 PM