You are browsing the archive for Lab.

How to replace expired certificates on ADFS 3.0 the right way

1:44 pm in 2012R2, ADFS, ADFS 3.0, BYOD, certificates, Cloud, Enterprise Mobility Suite, Global Managed Service Account, IIS, Known Issue, Lab, Power Management, WAP, Web Application Proxy by Kenny Buntinx [MVP]


As with all IT equipment that is using certificates for enhanced security, there will be a time when the certificates expire and it will need to be replaced. Below you will find the procedure for ADFS 3.0 and the Web Application Proxy:

First step is to create a new CSR on one of you’re servers and request a renewal of the existing certificate ( in our case a * . After the request has been processed , download your certificate and import the certificate on the server where you created the CRS earlier. For ADFS / WAP it is very important you will have the private key exported with the certificate. You can only export the certificate with a private key on the sever where you previously created the CSR .Export with private keys to *.pfx and import on WAP + ADFS

If you do not do it as described above with and export of the private keys , you will face issues even if you did it exactly as described below as shown in the screenshot below :



Follow the procedure below , starting with the ADFS server:

  1. Log onto the ADFS server.
  2. Import the new (exported with private key) certificate to the server. Make sure this is added to the personal certificate store for the computer account.
  3. Find your thumbprint for the new certificate. Either use the GUI thru the MMC to see the details of the certificate or us powershell with Run Get-AdfsSslCertificate.. Take a copy of the thumbprint and ensure that the spaces are removed.
  4. Make sure that the service account that is running the ‘Active Directory Federation Services’ service is granted read access to the private key.
  5. Launch AD FS Management, expand ‘Service’ within the left pane and click ‘Certificates’ , then click ‘Set Service Communications Certificate



  1. Restart the ADFS services. However this is not enough. Changes made in  the GUI does not change the configuration based on the HTTP.sys. To complete the configuration change, run the following PowerShell command : Set-AdfsSslCertificate –Thumbprint <Thumbprintofyourcertificate>.
  2. Make sure to restart the server

Now you need to log onto the WAP server.

  1. Import the new (exported with private key) certificate to the server as in step 1. 
  2. Run the PowerShell commando for changing the certificate: Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofyourcertificate>
  3. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for  updating them with the new thumbprint. Run: Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”
  4. Restart the Web Application Proxy services to complete the configuration

Now you are done and you are a happy admin once more . Took me some time to figure it out .

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

PXE in SCCM : Issues & Bugs

2:06 pm in ConfigMgr 2007, Lab, SCCM 2007 by Kenny Buntinx [MVP]

And the story continues around the famous OSD Deployment . It worked flawless after I strugled the last time @ the test lab at the customers , now we moved it to production and gues what happend …right , it did not work

 After opening the smspxe.log it showed me this error :

 <![LOG[Closing image file C:\RemoteInstall\SMSImages\SMSPKG\PGN00028\boot.PGN00028.wim]LOG]!><time=”15:15:09.963+300″ date=”03-18-2008″ component=”smspxe” context=”” type=”1″ thread=”860″ file=”wimfile.cpp:291″>
<![LOG[Mutex was not owned. Now have ownership.]LOG]!><time=”15:15:09.963+300″ date=”03-18-2008″ component=”smspxe” context=”” type=”0″ thread=”860″ file=”TSBoot.h:671″>
<![LOG[Unable to delete directory C:\WINDOWS\TEMP\PXEBootFiles\Windows\Boot\PXE (0x80070005).  Continuing.]LOG]!><time=”15:15:13.176+300″ date=”03-18-2008″ component=”smspxe” context=”” type=”1″ thread=”860″ file=”ccmfile.cpp:992″>
<![LOG[Unable to delete directory C:\WINDOWS\TEMP\PXEBootFiles\Windows\Boot (0x80070005).  Continuing.]LOG]!><time=”15:15:13.176+300″ date=”03-18-2008″ component=”smspxe” context=”” type=”1″ thread=”860″ file=”ccmfile.cpp:992″>
<![LOG[Unable to delete directory C:\WINDOWS\TEMP\PXEBootFiles\Windows (0x80070091).  Continuing.]LOG]!><time=”15:15:13.176+300″ date=”03-18-2008″ component=”smspxe” context=”” type=”1″ thread=”860″ file=”ccmfile.cpp:992″>
<![LOG[Warning: Failed to copy the needed boot binaries from the boot image C:\RemoteInstall\SMSImages\SMSPKG\PGN00028\boot.PGN00028.wim.
Cannot create a file when that file already exists. (Error: 800700B7; Source: Windows)]LOG]!><time=”15:15:13.176+300″ date=”03-18-2008″ component=”smspxe” context=”” type=”3″ thread=”860″ file=”bootimagemgr.cpp:1060″>

I looked into the c:\windows\temp folder  but no PXEBootfiles folder to see…The Windows\Temp\pxebootfiles does not exist. Should it? Or is this a red herring? I looked it up under a command promt with Attrib command and yes a hidden folder where nobody had access to ..

The problem was goofy ACLs on the c:Windows\temp\pxebootfiles. When I attempted to revised security, I got an Access is Denied message. Once the above directory was deleted, the SMSBoot folder would populate when the bootimage was refreshed on the PXE point.

 I reported it as a bug @ the SCCM product team …



The Virtual Data Center: VMM will manage VI3 infrastructure

10:23 am in Lab, Virtual machine by Kenny Buntinx [MVP]

In het first key note of MMS 2008, VP Bob Muglia talked about  Dynamic IT: Transforming Management and the Data Center. He confirmed that most of us already understood: Virtualization is the way to go, especially for Data Center environments. The announcement of the VM Manager Beta 2 release was followed by a short demo that showed SCVMM managing a heterogenous VM environment of Windows Hyper-V and ESX servers.  For ESX, VM Man drills into the VM tools installed on the VM machine so you are actually able to perform a guest-OS migration between ESX host servers.



Building a great Virtual Machine

3:43 pm in Lab, Training, Virtual machine by Kenny Buntinx [MVP]

Hi all,

This post isn’t really sms 2003 or sccm 2007 related, but all of us tend to build virtual lab environments every once in a while. After some thinking I come up with some guidelines I will try to keep myself when building Virtual Machines from now on. This is the list I came up with so far.

  • Domain Name and Passwords should be keyboard agnostic (ie: be the same on azerty/querty
    • Domain Example:
    • Password Example: Topsecret
  • The lab layout should be set as the background image, like in the screenshot
  • The lab should contain the lab credentials set with bginfo
    • The saved parameters file and the windows background should be saved to a folder called c:\bginfo
    • Create login script with saved bginfo parameters file to run as login script.




  • The machine should allow you to shutdown/ restart from the ctrl-alt-del box
  • The welcome page should be disabled
  • System restore should be disabled
  • The shutdown event tracker should be disabled
  • password complexity should be disabled
  • Changing the computer account password should be disabled.
  • Screensaver should be disabled
  • Showing icons on the desktop should be disabled (you didn’t spend all this time on building backgrounds to have them cluttered with icons)
  • All passwords should be configured to not expire
  • Vm’s should be running on the latest service pack
  • Your last login should be with the user that the people will need in the lab so that it is prefilled when pressing ctrl-alt-del
  • the c:\drive should contain a folder called buildguide and an rtf file with the steps taken to create the vm, this way you can see what preparative action has been taken to make the labs work.

So I created my lab environment in visio and saved the different visio’s as bmp’s

And set a lot of the above options using a gpo, I backupped the gpo and saved it. The gpo can be found here:

And you could obviously import it back on any domain controller using gpmc.


“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS