Microsoft

ADFS 3.0 Disable Revocation Check (Windows 2012 R2)

Recently I encountered a problem with authenticating via my ADFS Server because of an internal PKI CRL that was not reachable (resource provided by a third party, users in my organization). It turns out you can actually disable Revocation Check per Relying Party Trust with PowerShell!

Enumerate your Relying Party Trusts (and Revocation setting) with the following PowerShell command: [powershell] Get-AdfsRelyingPartyTrust | Select-Object Identifier, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck [/powershell]

In the resulting list you will find your Relying Party Trusts and their Revocation Check setting. The default setting is “CheckChainExcludeRoot” for signing and encryption. This setting is recommended for security reasons. Occasionally you will find a reason to disable the Revocation check (internal PKIs, ADFS without internet, etc.).

Disable Revocation Checkby using this command: [powershell] Get-AdfsRelyingPartyTrust -Identifier | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None [/powershell]

Possible values for the “SigningCertificateRevocationCheck” and “EncryptionCertificateRevocationCheck” parameters:

  • None
  • CheckEndCert
  • CheckEndCertCacheOnly
  • CheckChain
  • CheckChainCacheOnly
  • CheckChainExcludeRoot
  • CheckChainExcludeRootCacheOnly

Refer to https://technet.microsoft.com/en-us/library/ee892363.aspx for more information.

Update:

If you are on the other side of the trust (you are the Relying Party, and have a Claims Provider Trust), you just replace Get-AdfsRelyingPartyTrust with Get-AdfsClaimsProviderTrust and Set-AdfsRelyingPartyTrust with Set-AdfsClaimsProviderTrust. Should work exactly the same way.

Also, identifier needs to be provided with the whole path (https://identifier-URL/adfs/ls/), and not just the url.