# ADFS

Swapping certs is a bitch. dont forget to set the TLS cert for the server in addition to the service certificate. this isnt visible in the mmc.

Change the certificate for SSL and Service-Communications using the following commands:

Set-AdfsSslCertificate –Thumbprint XXX  
Set-AdfsCertificate -CertificateType "Service-Communications" –Thumbprint XXX

Restart the adfs service.

If you havent given permissions to the new certificates private key to the service account, do that too.

If using a windows WAP, you likely broke the trust too. fix it by running Install-webapplicationproxy

```
$FScredential = Get-CredentialInstall-WebApplicationProxy -FederationServiceName "FS01.Contoso.com" -FederationServiceTrustCredential $FScredential -CertificateThumbprint "0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d"
```

use a user account with admin on the ADFS box, and the certificate used should be the one you intend to present to clients. you can get the thumbprint with:

`Get-ChildItem -Path cert: -Recurse | select Subject, FriendlyName, Thumbprint | Format-List`

[https://docs.microsoft.com/en-us/powershell/module/webapplicationproxy/install-webapplicationproxy?view=windowsserver2022-ps](https://docs.microsoft.com/en-us/powershell/module/webapplicationproxy/install-webapplicationproxy?view=windowsserver2022-ps)