Today I received a customer notification that their Windows Azure Pack Portal for Tenants was no longer available and the webpage was showing ‘500 internal Server Error’.
This error code is pretty general, but we soon noticed that on the ADFS part, the certificate for signing the tokens was automatically renewed and as the new ADFS signing certificate’s public key is embedded in the metadatafile (https://server/federationmetadata/2007-06/federationmetadata.xml), the WAP portal could no longer verify this and resulted in the 500 error.
More info about automatic renewals for ADFS certifcates can be found here: https://technet.microsoft.com/en-us/library/dn781426.aspx
As described in technet;
If AutoCertificateRollover is set to TRUE, the AD FS certificates will be renewed and configured in AD FS automatically.
Once the new certificate is configured, in order to avoid an outage, you must ensure that each federation partner is updated with this new certificate.
So how do you then update this new certificate in WAP?
answer is actually simple; during original configuration of WAP to authenticate against ADFS we needed to run following PowerShell script:
Set-MgmtSvcRelyingPartySettings -Target Tenant `
-MetadataEndpoint https://$fqdn/FederationMetadata/2007-06/FederationMetadata.xml `
-ConnectionString $portalConfigStoreConnectionString
realize that this is stored in the SQL (WAP DB), you need to let PS know how it can connect to it:
$fqdn = ‘fs.it.*****.***’
$dbServer = ‘ SQLINSTANCENAME\WAPDB ‘
$dbPassword = ‘*********’
$portalConfigStoreConnectionString = [string]::Format(‘Data Source={0};Initial Catalog=Microsoft.MgmtSvc.PortalConfigStore;User ID=as;Password={1}’, $dbServer, $dbPassword)
(add this section before the Set-MgmtSvcRelyingPartySettings cmdlet)
I only needed to rerun the same script and the certicate was updated in the WAP server, after this the portal was back available again.