Hi mates. Today we’re going to cover how to check Token signing and token decrypting certificates in the certificate store when you have a gMSA (Group Managed Service Accounts) account running AD FS service. AD FS token signing and token decrypting certificates are stored in the certificate store of the service account that runs AD FS.
Normally when you want to check the personal certificate store of a service account in AD FS you run the command prompt as another user, but when you have AD FS running with a gMSA account, you have no access to it’s password so, here comes a tip to help you check the self-signed token signing and token decrypting certificates in the certificate store.
Opening User Certificate Store for gMSA account
First, download PStools using this link and copy PsExec64.exe to your ADFS server.
After you follow the steps above, run the command below to obtain the gMSA account used by your AD FS server:
Get-ItemProperty -Path HKLM:\SYSTEM\CURRENTCONTROLSET\SERVICES\ADFSSRV | Select ObjectName
Open command prompt as administrator, navigate to the directory you copied PsExec64.exe file and execute it with parameters below:
PSExec64.exe -i -u Domain\gMSA$ -p ~ cmd.exe
Another command prompt window will open in the gMSA’s context. Run Certmgr.msc to open certificate store for user account.
Now we can see all certificates that belongs to the certificate store of the gMSA account, including AD FS self-signed token signing and token decrypting certificates.
Summary
In this article, we covered how to open the certificate store as a gMSA account to be able to validate the self-signed token signing and token decrypting certificates.
I hope you have enjoyed reading this article, and it helps you to manage your AD FS environment.
Enjoyed the article? Like and share. 🙂
In case you have any suggestion or feedback, please leave a comment.
[ ]’s
Ulysses Neves
