Adding permissions for ADFS 3.0 and DRS service to read private keys

We had to replace our ADFS Service Communications SSL certificate this week and I ran into a problem assigning read permissions on the new certificate’s primary key.

Both the ADFS and Domain Registration Service (DRS) services need read access to the SSL certificates private key, however the certificates snap-in would not let me add accounts drs or adfssrv

You can use the following powershell to add permissions to private keys:

$PrivateKey=(((Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -like "thumbprint"}).PrivateKey).CspKeyContainerInfo).UniqueKeyContainerName
$KeyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"
$FullPath=$KeyPath+$PrivateKey
$acl=Get-Acl -Path $FullPath
$Permission="NT SERVICE\adfssrv","Read","Allow"
$AccessRule=new-object System.Security.AccessControl.FileSystemAccessRule $Permission
$acl.AddAccessRule($AccessRule)
Set-Acl $fullPath $acl

You can also, as I then remembered, just type NT SERVICE\drs or NT SERVICE\adfssrv into the certificates snap in! It’s been a long week.

Advertisements

One response to “Adding permissions for ADFS 3.0 and DRS service to read private keys”

  1. kitkatneko says :

    Reblogged this on Surviving Within IT.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: