PowerShell: Reset WAP Configuration

I was working on a project where we were both upgrading ADFS and migrating it from Azure to AWS – it was way more difficult than it should have been, and ADFS sure did not play nicely on AWS. Maybe it’s gotten better now, but it was overall quite the headache – the WAP servers kept losing their trust to the ADFS server, and needed to be reset constantly!

It was happening so many times that I ended up writing a script to automate the process – I figured it might be useful (or at least components of it), so I’m sharing it here. I drew heavily from Rhoderick’s process – I just put it all together so I could simply run the script whenever I needed to reset the configuration in one simple step.

Start by getting your ADFS certificate thumbnail, and storing it as a variable – remember that you should have the same third-party certificate installed on all your STS and WAP servers, so once you’ve gotten this variable set once you should be good to go until you have to renew your certificate. Your ADFS certificate will be installed in your local computer store, and will more than likely be named something like sts.domain.com:

[powershell]
Get-ChildItem -Path "Cert:LocalMachineMy"
[/powershell]

Now that we have our thumbprint, we’re going to store it in a variable – we’ll also capture our admin credentials at the same time so that we’re ready to use those when we need to reconfigure the Web Application Proxy.

[powershell]
$creds = Get-Credential
$cert = "C9ADFCB04C432C4C0F213BA6DECBDB107B76F102"
[/powershell]

The next piece of the puzzle here is to reset the reg key needed to tell the Web Application Proxy that it hasn’t been configured yet – a key value of 1 means Configured, while a key value of 1 means Not Configured.

[powershell]
# Set variables for updating the registry, in order to reset the WAP Config status
$regpath = "HKLM:SOFTWAREMicrosoftADFS"
$keyname = "ProxyConfigurationStatus"
$keyvalue = "1"
 
# Reset WAP Configuration Status
New-ItemProperty -Path $regpath -Name $keyname -Value $keyvalue -PropertyType DWORD -Force
[/powershell]

If you want to check what the current status of the key is, simply uncomment and run this line:

[powershell]
# Use this key to check the value of the registry key above.
# Get-ItemProperty -Path $regpath -Name $keyname
[/powershell]

This next step is my own personal housekeeping step – every time the WAP service resets, it creates a new “ADFS Proxy Trust” certificate, causing your certificate store to get cluttered. This next step simply deletes them all – there’s no problem doing this, as when you complete the script to re-install the web application proxy, it creates a new one.

[powershell]
# Remove all old WAP certificates from the local store – a new one will be generated once trust is established
Set-Location Cert:LocalMachineMy
Get-ChildItem | where {$_.Subject -match "CN=ADFS ProxyTrust"} | Remove-Item
Set-Location C:
[/powershell]

All clean!

The final step now is to install the Web Application Proxy – make sure to replace the Federation Service Name with your own STS server:

[powershell]
# Re-establish Federation Trust with the sts service.
Install-WebApplicationProxy -CertificateThumbprint $cert -FederationServiceName sts.masterandcmdr.com -FederationServiceTrustCredential $creds
[/powershell]

If all goes well, you should have a nice minty fresh WAP server ready to go, trusting the world as it once did!

If you found this useful, feel free to let me know – head over to Github if you’d like to download the whole thing and use it for yourself.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.