When using AD FS 3.0, sometimes it is necessary to perform some troubleshooting. In this case, I was having random connectivity issues to the back end AD FS server. Here are the steps taken to resolve:
1. Enable debug logging. To do this:
a. Edit C:\windows\adfs\Microsoft.IdentityServer.Servicehost.exe.config. Find the area for <system.diagnostics, and change each of them that are “off” by default to “Verbose”. Save and close the file.
b. From an Admin PowerShell, run “wevtutil sl “AD FS 2.0 Tracing/Debug” /L:5″
c. In the event viewer, go to the view menu and choose to show debug logs.
d. Under Application and Services Logs/AD FS Tracing/ right click on the debug log and choose enable.
After reviewing the logs, in my case I had an error with Event ID 53, source of AD FS Tracing. It read:
Encountered exception during Run of Microsoft.IdentityServer.Service.Synchronization.DrsSslBindingBackgroundTask task. Exception: The certificate represented by thumbprint <a thumbprint was here> could not be found in the Target Computer Personal certificate store. Check the thumbprint value and ensure that the desired certificate is installed in the Local Computer Personal certificate store.
StackTrace: at Microsoft.IdentityServer.WebHost.Configuration.CertificateUtility.GetCertFromLocationMyStore(StoreLocation location, String thumbprint, Boolean validOnly)
at Microsoft.IdentityServer.WebHost.Configuration.Providers.DrsSslBindingProvider.GetDrsSslBindingCertificate(Int32 drsPort, X509Certificate2& drsCertificate)
at Microsoft.IdentityServer.Service.Synchronization.DrsSslBindingBackgroundTask.Run(Object context)”
I then compared that thumbprint above to the thumbprints of the existing SSL certificates installed on my server. Not to my surprise, none of them matched. But – the question was then what is trying to use this certificate and how can I change it?
After some digging, I went back into an admin command prompt, and looked at the results from “netsh http show sslcert” and sure enough, there was my bad certificate thumbprint. Make note of the appid listed here for each entry!!
You can delete the entries using “netsh http delete sslcert hostnameport=<yourhost>:<yourport>
You can then re add the new, proper entries using “netsh http add sslcert hostnameport=<yourhost>:<yourport> certhash=<yourcertthumbprint> appid=<appid noted above> certstorename=MY”
After doing this, a restart of the AD FS service, and things were back on track. No more errors in the event logs and SSO was working again.