Introduction

ADFS 2.0 is amongst others used to provide Single Sign-On capabilities to users in an Office 365 deployment. Basically, when a domain is configured for SSO, Microsoft will – for example when using Outlook - ‘redirect’ all incoming authentication requests to your on-premises ADFS deployment. On its turn, ADFS will pass authentication to Active Directory and – if successful – craft a ‘special’ token that can be used to sign-in into Office 365.

In order for Microsoft to be able to ‘redirect’ the incoming requests to ADFS, your deployment must be externally available. There are many ways to publish ADFS externally. What it actually comes down to is that and external URL is configured and secured with an SSL certificate. Through the configuration of a federated domain in Office 365, that external URL is passed on to Microsoft so that they know where to connect to.

ADFS uses multiple certificates: a service communication certificate, a Token-signing and Token-decrypting certificate. The latter two can use self-signed certificates; which is actually recommended. The Service Communication Certificate however, is the one that is used to communicate with (externalà clients and should be from a mutually trusted – CA. (Note: a domain-CA could be used as well, but that would limit your deployment’s capabilities). The Subject Name (or Alternative Subject Name) of the Service Communication Certificate must match the service name (URL) of your deployment.

If – for whatever reason – you ever need to change that URL, there are just a few more steps needed than just changing the certificate. In this article, I will show you how to change the URL and make the appropriate changes in Office 365.

We’ll be using a standalone deployment of ADFS which is a bit easier to reconfigure. Check “Additional Information” at the bottom of this article for more information for ADFS servers farms etc.

Renaming the URL

Renaming the URL is pretty straightforward:

1. Open the ADFS 2.0 Management console, select the root note and click “Edit Federation Service Properties”:
   
   
   
2. Change the desired values in the Federation Services Properties window:
   
   
   
3. Confirm and restart the ADFS 2.0 Windows Services:
   
   

Changing the certificate(s)

Now that we’ve changed the URL, we should change the different certificates that are used as well. But before changing the certificate in ADFS, make sure that you’ve bound the correct new certificates to the Default Web Site in IIS:

Once that’s done, you can change the certificates for ADFS:

1. Go back to the ADFS 2.0 Management Console and navigate to Certificates. Click “Add Token-Signing certificate”:
   
   
   
2. You will be presented with a warning:
   
   
   

3. Disable the Automatic Certificate Rollover using PowerShell:
   
   
   

4. Go back the the ADFS 2.0 Management Console and again click on “Add Token-Signing Certificate”:

5. Select the appropriate certificate and confirm:
   
   
   

6. Repeat step 5 for both the Token-Decrypting Certificate and the Service Communication Certificate.

Note: you probably did not publish your ADFS server directly onto the internet, but used either an ADFS Proxy or TMG to do this. Of course, changing the URL and certificate on the ADFS server requires updating of either TMG/ADFS Proxy as well. For more information on configuring TMG, have a look at the following article which focuses on creating a home-lab for Office 365. There’s are topic about configuring a TMG for ADFS as well:

• http://www.pro-exchange.be/blogs/office365/archive/2011/10/30/building-your-own-home-lab-for-test-driving-office-365-hybrid-features-part-1.aspx

Updating the URL in Office 365

Once you’ve updated everything on-premises, it’s time to update the configure of Office 365 so that Microsoft is aware of the new endpoint-URL as well:

1. Open the Online Service Module for PowerShell and connect to Office 365:
   
   
   
2. Once connected, run the following cmdlet. If you are running the Online Service Module from the ADFS Server, you can skip this step:
   
   
   
3. Update the federated domain properties with the following cmdlet:
   
   
   Note: replace <domainname> with the name of the federated domain
   
   This is what the output would look like:
   
   
   
4. Verify the domain properties to make sure that URL got updated using the following cmdlet:
   
   
   
   You should check that the different URL’s, shown in the output, match the new URL you’ve configured before:
   
   

Additional Information – ADFS Server Farms

Reconfiguring the service names in an ADFS Server farm requires a bit more work. An ADFS Server farm uses a service account.
Whenever you update the URL, the SPN for that service account needs to be updated as well.

There’s a pretty good article on TechNet that will guide you through changing the SPN:

• http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-configure-the-spn-serviceprincipalname-for-the-service-account.aspx