Adding permissions for ADFS 3.0 and DRS service to read private keys

Daniel Loughlin's Blog

We had to replace our ADFS Service Communications SSL certificate this week and I ran into a problem assigning read permissions on the new certificate’s primary key.

Both the ADFS and Domain Registration Service (DRS) services need read access to the SSL certificates private key, however the certificates snap-in would not let me add accounts drs or adfssrv

You can use the following powershell to add permissions to private keys:

$PrivateKey=(((Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Thumbprint -like "thumbprint"}).PrivateKey).CspKeyContainerInfo).UniqueKeyContainerName
$KeyPath = "C:ProgramDataMicrosoftCryptoRSAMachineKeys"
$FullPath=$KeyPath+$PrivateKey
$acl=Get-Acl -Path $FullPath
$Permission="NT SERVICEadfssrv","Read","Allow"
$AccessRule=new-object System.Security.AccessControl.FileSystemAccessRule $Permission
$acl.AddAccessRule($AccessRule)
Set-Acl $fullPath $acl

You can also, as I then remembered, just type NT SERVICEdrs or NT SERVICEadfssrv into the certificates snap in! It’s been a long week.

View original post

Advertisements