If you cannot find IIS on your ADFS server, it’s likely that IIS is not installed. However, you can still update the SSL certificate of ADFS without IIS. Here are the steps you can follow:
Obtain your TLS/SSL certificates: For production AD FS farms, a publicly trusted TLS/SSL certificate is recommended. AD FS obtains this certificate by submitting a certificate signing request (CSR) to a third party, public certificate provider.
Import the certificate to the local machine store on each AD FS and WAP: After you get the response from your certificate provider, import it to the local machine store on each AD FS and WAP.
Install the new TLS/SSL certificate: On the primary AD FS server, use the following PowerShell cmdlet to install the new TLS/SSL certificate:
Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'
Please replace <thumbprint of new cert>
with the thumbprint of your new certificate.
The recommended way to replace the TLS/SSL certificate going forward for an AD FS farm is to use Microsoft Entra Connect. You can use the Microsoft Entra Connect tool to easily update the TLS/SSL certificate for the AD FS farm even if the user sign-in method selected is not AD FS.
Please note that the AD FS TLS/SSL certificate isn’t the same as the AD FS Service communications certificate found in the AD FS Management snap-in. To change the AD FS TLS/SSL certificate, you need to use PowerShell.
I hope this helps! If you have any more questions, feel free to ask.
References:
- Microsoft Documentation: https://video2.skills-academy.com/en-us/troubleshoot/windows-server/identity/change-ad-fs-2-dot-0-service-communications
- Microsoft Entra Connect: https://www.microsoft.com/en-us/entra/connect