The Windows PowerShell SnapIn for IIS 7. Web administrators and hosting providers to easily automate routine and complex IIS 7. Good question. Heres some info Each time Windows sees a new device with a serial port or each time one with without a unique id is unpluggedreplugged, it. Things that dont update when changing an AD FS URL in Windows Server 2. R2. Windows Server 2. R2 introduces a number deep changes to the way that AD FS works, which means that as practitioners, we need to look for solutions to problems in new, unexpected places. For instance, in the old world, if AD FS was completely unresponsive, the first place I would look after AD FS itself would be IIS. In AD FS 2. 01. 2 R2, IIS doesnt play a role. Requests are still served by the HTTP. SYS kernel driver but we interact with it using NETSH HTTP, which connects to the driver via the User Mode HTTP Server API. IIS and other familiar components would also interact with this API previously, but they provided a friendlier layer of abstraction between an administrator and the API. Interacting with HTTP. SYS using NETSH HTTP brings a learning curve with it, particularly when it comes to understanding what is and is not controlled here. Also, there is no GUI and the security that HTTP. SYS enforces is stricter than the abstracted layer that IIS has historically opened up. This web server architecture change and other new differences add to the difficulty of tracking down problems when things dont work as expected, as detailed in this post. Updating the Service Communications Certificate, Federation Service Name and Identifier. How can I use the Windows command line to change the extensions of thousands of files to. How to change the default program a file opens with in Windows XP. When you doubleclick on a file in Windows XP, the operating system will automatically open the. Changing the file type icons in Windows XP and earlier Operating Systems was a breeze, using the File Types tab in the Folder Options dialog. How To Download Custom Themes For Android more. Unfortunately the File. Do you want to batch rename file extensions in one simple step Changing each file extension separately can be a pain in some cases where you have to chang. When updating the URL of an AD FS service, the first and most obvious things to change are the Service Communication Certificate, Name and Identifier. These are all changes that are exposed through the AD FS administration console or through Set ADFSProperties and Set ADFSCertificate. Update 1. 4 January 2. A couple of weeks ago Adam Lepkowski recommended an improvement to this section with the Set Adfs. Ssl. Certificate cmdlet, which addresses some of the shortcomings I describe below. For coherence, I will leave my bits untouched, and include Adams comment here as an improvement that everyone can take advantage of. I think that seeing my clunkier approach actually helps reveal whats happening under the hood, so Im not going to change this content, but I will use Adams method in future myself. Adam Lepkowkis commentapproach Adam Lepkowski says December 3. SSL binding can be added in such way Run Set Adfs. Ssl. Certificate Thumbprint thumbprinthere. This command will add new entries for ports 4. Unfortunately you still need to remove the old binding manually netsh http delete sslcert hostnameportsts. Back to the original postFor simplicity, Ill show the GUI screens here NB I dont recommend using. This is actually a domain that weve moved away from, but for this post it was easiest for me to use these resources. Changing Extensions In Windows 7' title='Changing Extensions In Windows 7' />At any rate, these changes work, as they always have done. We can see the changes in Get ADFSProperties and Get ADFSCertificate clearly after making them. However, as before, we also need to apply these changes to the underlying infrastructure. In the past, this would be a matter of updating the IIS binding, but now we need to invoke the NETSH HTTP commands to interact with HTTP. SYS. The NETSH HTTP SHOW URLACL command unveils listeners, but by default AD FS will reserve a wildcard listener for a port and path, for instance https 4. Host Headers URL reservations. On the other hand, the SSL bindings may need to be updated and they are configured in a much stricter manner than we normally see in IIS unless were using SNI. Indeed, the default HTTP. SYS configuration in Windows Server 2. R2 assumes the use of TLS extensions like SNI. Using the NETSH HTTP SHOW SSLCERT command I will see that my current configuration still references the SSL bindings for my old SSL certificate and URLs. Because Im also updating my certificate at the same time as my URL, all of these bindings need to be updated to use both the correct certificate and URL. Referencing the old GUID for the Application ID, we can make these changes using NETSH HTTP ADD SSLCERT. Note due to the way that Power. Shell handles the curly braces around the GUID, we need to construct this in a fairly awkward fashion guid 5d. Command http add sslcert hostnameporthostnameport certhashcerthash appidguid certstorenameMY sslctlstorenameAdfs. Trusted. Devices clientcertnegotiationdisableCommand netsh. This needs to be repeated for the port 4. Certificate Authentication as well, when thats required hostnameport sts. Command http add sslcert hostnameporthostnameport certhashcerthash appidguid certstorenameMY sslctlstorenameAdfs. Trusted. Devices clientcertnegotiationenableCommand netsh. And the old bindings need to be manually deleted netsh http delete sslcert hostnameportsts. Although we shouldnt rely upon the localhost binding, well update that as well, as otherwise it will be secured using the old certificate still. You never know when failing to update this might cause a problem. And youll note there is no update command that I can find, so we need to delete the old binding and create it anew. Command http add sslcert hostnameporthostnameport certhashcerthash appidguid certstorenameMY sslctlstorenameAdfs. Trusted. Devices clientcertnegotiationdisableCommand netsh. After making these changes it should be possible to successfully browse to the new Federation Metadata URL, as an indicative test that things are working  This would be a really good time to make sure certificate trusts are in place, all the way up the chain as needed. Things will break later if this isnt done. And with that, the first changes are done. Changing Relying Parties to use the new URLOnce we have a responsive Security Token Service on our new URL, we need to update the Relying Parties that AD FS serves. Theres no way I could document all of these, but since this process is surprisingly poorly documented for Share. Point, Ill detail what it looks like for Share. Point 2. 01. 0 here. Before running this, its important to understand that updating the. Name value will break user profiles so I generally recommend against this. You need to live with the old Name and Display. Name, which may be confusing, but the alternative means migrating all user accounts and updating all Authentication Providers, which will be disruptive in a production environment. Making this update to the SPTrusted. Identity. Token. Issuer requires use of the Get and Set cmdlets to make the change in full. Note The Provider. Uri parameter in the Get cmdlet equates to the Sign. In. Url in the Set cmdlet. Trusted. Identity. Token. Issuer Get SPTrusted. Identity. Token. Issuer. Set SPTrusted. Identity. Token. Issuer Trusted. Identity. Token. Issuer Sign. In. Url https sts. Trusted. Identity. Token. Issuer. UpdateNote this process is dramatically better than the alternative approach of deleting and re creating the SPTrusted. Identity. Token. Issuer, as that will break any User Profile Synchronisation Connections that depend on it. Avoid After making these changes, we should have a totally updated AD FS. But what if weve published AD FS and Relying Parties outside the corporate network using the Web Application ProxyIf so, our work is not finished yet. Updating Web Application Proxies to use the new URLBefore I plunge in too deeply, I have to mention that Im not sure which of these steps if any, will be needed if the Web Application Proxy is deployed for the first time after the changes above have been made. My gut feel is that none of them will be necessary, but for reasons that will become clearer soon, I cant speak to that scenario with any clarity right now. At this point, its worth recapping where we are. Presently, the Web Application Proxy has lost its relationship with AD FS, because The AD FS URL has changed and the Web Application Proxy is continuing to request the old URL to update its configuration data AD FS holds all of the Web Application Proxy configuration information.