locked
ADFS service communication certifcate renewal issue in ADFS 3.0

    Question

  • Hi All,

    We have 2 ADFS servers in farm with SQL backend & 2 ADFS proxy servers, For service communication we are using Digicert certifcate & Token certiifcates are self signed

    Currently we were having SHA1 digicert certificate, we planned to replace sha1 certificates with sha2 certificates & we renewed certificates as well in both ADFS & ADFS proxy servers

    Post renewal ADFS relying party application like CRM, sharepoint etc sites are working  from internal entwork but when we try to access from external network we were getting "server hangup" error while accessing the CRM, sharepoint webistes

    There was no ADFS related errors was found except the below "Schannel" errors after certiifcate renewal, Does anyone got same error in their environment

    Note: we found more events after certiifcate renewal, after rolling the back the certiifcates to old one these errors gone in the server

    Log Name: System

    Source : Schannel

    Event ID: 36888

    Time : 6/15/2015 10.01 AM

    Level : Error

    User : System

    Computer : abc

    Description:  A fatal alert was generated and sent to remote endpoint. This may result in termination of connection. The TLS protocol defined fatal error code is 40. The windows Schannel error state is 1205

    ==============

    Log Name: System

    Source : Schannel

    Event ID: 36874

    Time : 6/15/2015 10.01 AM

    Level : Error

    User : System

    Computer : abc

    Description:  An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed

    Monday, June 15, 2015 9:57 AM

All replies

  • Hi Sunil,

    Try to follow the article below on how to change certificates with ADFS 3.0. You can leave DRS certificate alone, but focus on using two PShell commands which should be run

    a/ Set-AdfsCertificate

    b/ Set-AdfsSslCertificate


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Tuesday, June 16, 2015 12:17 AM
  • Yes, this has been tried & certificates were renewed with latest one. Still issue was not solved, As mentioned earlier we were having SHA1 certificate, plan was to renew with SHA 2 certificates post that doing all the changes above mentioned events observed & external login was not working

    Soon we roll back to old SHA 1 certiifcate all started to work fine, ANy alternate thoughts on this issue

    Wednesday, June 17, 2015 9:38 AM
  • Once I had issues with CNG certificates - I assumed that ADFS shoud support latest cryptography methods, but not yet: http://blogs.technet.com/b/mspfe/archive/2013/11/29/adfs-configuration-wizard-fails-with-error-the-certificates-with-the-cng-private-key-are-not-supported.aspx

    Anyway, for me it seems that the issue might be with PKI certificate template. What CSP are you using and what template version are you using? If it is v3, try with v2.

    Also, note that SHA2 with OS < W2K8 (so W2K3 and W2K3R2) specific KB should be applied http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Wednesday, June 17, 2015 10:34 PM
  • HI Andrzej,

    Thanks for the update we are using external certificate & not the internal CA server certificate. When coming to OS version ADFS is installed in 2012 R2 OS & all clients are windows 7 machines

    Thursday, June 18, 2015 11:32 AM
  • As the eventlog message says, it looks like a TLS negotiation error. There have been several updates to SCHANNEL lately. Old "unsafe" cyphers were disabled etc.

    Make sure the machines are up to date with patches. A network level trace should show you the exact negotiation problem.

    Are the external clients going through a load balancer? Then the load balancer may be sending an incompatible cypher....


    Paul Lemmers


    • Edited by paullem Thursday, June 18, 2015 12:15 PM
    Thursday, June 18, 2015 12:10 PM
  • Yes, External clients go to F5 load balancer then to ADFS proxy servers, Can you give some more information about incompatible cipher & Schannel updates please
    Thursday, June 18, 2015 2:34 PM
  • No, I cannot give you extra info, because I am not an F5 specialist.

    But if you make a low level network trace of a working configuration (internal client) and a failing configuration (external client), then the local F5 specialist should be able to help you.


    Paul Lemmers

    Thursday, June 18, 2015 5:10 PM
  • I have the same problem.
    The connection from Internet to F5 is OK.
    But from F5 to ADFS Proxy was not.
    I have disabled TLS 1.2 in F5 to get it to work.

    The version of F5 is 11.4. 
    I don't dare to update to 11.5 until some bugs are resolved.

    And I don't know if it'a a F5 Issure or Server 2012R2 issue.

    Friday, August 14, 2015 10:05 AM
  • Even it worked me in the same way, As per update from MS it seems to be F5 is not having proper signature because of it authentication was failing between F5 & ADFS proxy server
    Friday, May 20, 2016 12:16 PM