Over Christmas break, I had to revive my SharePoint hybrid lab after it was ideal for few months and during that period ironically all the certs were expired which gave out the end-to-end SharePoint hybrid configuration.
As an overview, my SharePoint Hybrid Lab consists of Microsoft Azure-hosted SharePoint 2013 On-premises environment with Office 365 hybrid trust.
I have 3 VMs in Microsoft Azure for SharePoint 2013 on-premises environment – All-up SharePoint 2013 VM with AD and SQL, ADFS+Azure AD Sync VM for SAML provider, and WAP VM acting as a reverse proxy. This environment is trusted by Office 365 tenant syncing on-premises users in Office 365 and configured with both inbound and outbound SharePoint search.
Here are the high-level steps one needs to take to renew certs and revive the SharePoint 2013 on-premises and SharePoint Hybrid environment. Please note – these steps excludes Office Web Apps and Provider Hosted Apps configuration.
Fix On-Premises First
Fix SharePoint SSL
- Symptoms – Verify that NTLM or SAML SharePoint SSL URL doesn’t work from the server itself or internal domain machines
- The first request updated SSN URL cert – New cert from cert provider, log on to SP Serer, create CSR from IIS, send CSR and request new cert, cert providers will issue cert, download cert, import cert into IIS (cleanup old one).
- Fix on-premises SharePoint SSL – bind cert in IIS, test with NTLM (may error out if STS cert is expired, remember hybrid requires replacing OOB STS cert), will error out in SAML for ADFS especially if any of ADFS communication/token signing certs are expired.
- Fix SP STS cert – Regenerate STS self-signed cert from IIS (or request from third-party same as URL cert similar as 2nd bullet), export both PFX and CER files, update the STS provider cert using Set-SPSecurityTokenServiceConfig, this should return NTLM SP site
- This should allow users internally login to SharePoint w/NTML Auth
Fix ADFS Integration
- Symptoms – SharePoint w/NTLM Auth works fine, but w/SAML auth doesn’t work yet.
- Fix ADFS communication certs (might be same as SSN URL cert) – copy ADFS communication cert to ADFS server, import cert in local store (cleanup old one), add new cert as communication cert, update ADFS SSL cert using Set-AdfsSslCertificate PowerShell, validate if ADFS signing works otherwise signing certs may be expired
- Fix ADFS token signing certs & SP trust – Use PowerShell to refresh the token signing cert, export token signing certs to SP servers, add token signing certs on SP local cert stores, Update SP identity issuer with new token cert using Set-SPTrustedIdentityTokenIssuer, Update certs on central admin trust, validate if ADFS redirect/trust works.
- This should allow users internally login to both ADFS sign in and SharePoint w/SAML Auth
Fix WAP – ADFS Proxy Integration and Startup Issues
- Symptoms – ADFS sign in should work fine from WAP server but won’t work outside of WAP server from the public internet.
- There are two certs – ADFS Proxy Trust and ADFS Communication Certs – One of them or both may be expired.
- Fix ADFS communication certs (might be same as SSN URL cert) – this is for both client and server authentication – copy ADFS communication cert to WAP server, import cert in local store (cleanup old one), update WAP SSL cert using Set-WebApplicationProxySslCertificate PowerShell, validate if ADFS signing works from outside otherwise WAP trust may have been broken, easiest way to check is ADFS trust cert in local cert store may have expired.
- Fix ADFS Proxy Trust cert – this is for client authentication – You need to run through these steps if ADFS proxy trust cert is expired or if you renewing ADFS communication cert to establish trust with ADFS server – Usually this cert gets renewed for 2 weeks if server is running, reestablish WAP-ADFS trust by running Install-WebApplicationProxy, it should update ADFS Proxy cert, remove old one. https://technet.microsoft.com/en-us/library/dn770156.aspx
- ADFS signing should work fine from outside.
Fix WAP – Published SP App rules
- Symptoms – SharePoint NTLM & SAML should work fine from WAP server but won’t work outside of WAP server from public internet
- Update certificates for WAP published application rules using Set-WebApplicationProxyApplication command. Usually, there are two external entry points for SharePoint hybrid – one for the end user (ADFS SAML-based) and second is for Office 365 service call (NTLM/Cert based). Both WAP entry points certs needs to be updated. For ADFS, update only ExternalCertificateThumbprint. For NTLM/Cert based, you need to update both ExternalCertificateThumbprint & ClientCertificatePreauthenticationThumbprint (without this you will get 403 error)
- Intranet SharePoint SAML should work fine w/ADFS auth, and IntranetExt NTLM should work with fine w/cert based authentication from outside.
Fix Office 365 Hybrid Configuration
Fix Office 365 Federation
- Symptoms – You may get warning on Office 365 admin center regarding federation cert renewals, this would affect Azure AD Sync and users no longer able to login in Office 365 using on-premises IDs
- From ADFS server, Run Update-MSOLFederatedDomain –DomainName to update the cert using Azure AD PowerShell Window
- You should no longer receive any alerts, and you should be able to login to the SharePoint site using on-prem ID
Fix Hybrid ACS Trust & Outbound Search
- Symptoms – You won’t be able to search SharePoint Online data from SharePoint on-premises Search Center
- From SP server, Run New-MsolServicePrincipalCredential to upload new valid STS cert, you may want to use Remove-MsolServicePrincipalCredential to delete the expired one
- No need to update SPO SPN using Set-MsolServicePrincipal, No need to reregister App Principal using Register-SPAppPrincipal, No need to set Realm using Set-SPAuthenticationRealm, No need to recreate ACS Proxy & Token Issuer New-SPAzureAccessControlServiceApplicationProxy & New-SPTrustedSecurityTokenIssuer
- You should be able to search SharePoint Online data from SharePoint on-premises Search Center
Fix Inbound Search
- Symptoms – You won’t be able to search SharePoint On-Premises data from SharePoint Online Search Center
- Upload updated communication cert for EXT URL in Secure Store App which is used by SharePoint Online result source.
- You should able to search SharePoint On-Premises data from SharePoint Online Search Center
- SSN cert application URLs (e.g. intranet.chipchhybrid.com, adfs.chipchybrid.com)
ADFS token signing certs – http://www.expta.com/2015/03/how-to-update-certificates-for-ad-fs-30.html
- SP On-Premises STS certs – https://technet.microsoft.com/en-us/library/dn551378.aspx
- WAP Proxy Trust Certs – http://blogs.technet.com/b/rmilne/archive/2015/04/20/adfs-2012-r2-web-application-proxy-_2d00_-re_2d00_establish-proxy-trust.aspx or http://fastvue.co/tmgreporter/blog/how-to-solve-web-application-proxy-and-ad-fs-certificate-issues-general-error-code-0x8007520c
- WAP SP App rules Certs – https://blogs.blackmarble.co.uk/blogs/adawson/post/2015/02/13/Changing-the-Certificate-on-ADFS-30-and-Web-Application-Proxy-(WAP).aspx
- Office 365 Federation – https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-o365-certs/
- Office 365 Hybrid and Low Trust with ACS – https://msdn.microsoft.com/en-us/library/dn155905.aspx