AD FS 2.0 – No certificate with thumbprint “…….” found

During the last week I was working for an identity project related to the new U-Prove CTP version of the Active Directory Federation Services 2.0.

As you know, when working with new technologies, it is very common to find blocking issues like this. This is why I want to share with you my experience.

Symptom

AD FS certificates cannot be changed neither from the Management Console nor PowerShell Cmdlet. You may receive an error message like No certificate with thumbprint “…….” found.

Solution

  1. Open the¬ Microsoft Management Console and add a new¬ Certificates Snap-in for Computer Account
    • Go to the Personal / Certificates node and open the new certificate you are going to use by doble-clicking on it
    • Select the Details tab and copy the Thumbprint value
  2. Open SQL Server Management Console
    • Select the AdFsConfiguration databaseNote: If you are using the Microsoft Internal Database you can use this connection string (¬ \.pipemssql$microsoft##sseesqlquery )
    • Open the¬ IdentityServerPolicy.ServiceSettings table and copy the¬ ServiceSettingsData field value (XML) to a Notepad
    • Find the missing Thumbprint values you got on the AD FS error message
    • Replace the found values by the new one certificate’s Thumbprint without empty spaces.
    • Update the¬ ServiceSettingsData field with the new XML configuration
      Note
      : XML contents must not BE tidy

  3. Go to to and refresh the Certificates node
  4. At this point you should see listed the new certificate
  5. If you are changing the Service Communications Certificate, open the Internet Information Service (IIS) Manager
    • Select the Default Website
    • Click on Bindings… action, go to the https row ad click on Edit…
    • Select the new certificate from the SSL certificate combo-box and click OK (Note: if you see an error message, click ok)



Leave a Reply