Adding permissions for ADFS 3.0 and DRS service to read private keys

Daniel Loughlin's Blog

We had to replace our ADFS Service Communications SSL certificate this week and I ran into a problem assigning read permissions on the new certificate’s primary key.

Both the ADFS and Domain Registration Service (DRS) services need read access to the SSL certificates private key, however the certificates snap-in would not let me add accounts drs or adfssrv

You can use the following powershell to add permissions to private keys:

$PrivateKey=(((Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Thumbprint -like "thumbprint"}).PrivateKey).CspKeyContainerInfo).UniqueKeyContainerName
$KeyPath = "C:ProgramDataMicrosoftCryptoRSAMachineKeys"
$FullPath=$KeyPath+$PrivateKey
$acl=Get-Acl -Path $FullPath
$Permission="NT SERVICEadfssrv","Read","Allow"
$AccessRule=new-object System.Security.AccessControl.FileSystemAccessRule $Permission
$acl.AddAccessRule($AccessRule)
Set-Acl $fullPath $acl

You can also, as I then remembered, just type NT SERVICEdrs or NT SERVICEadfssrv into the certificates snap in! It’s been a long week.

View original post

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s