You know those tech “gotchas” that you discover the resolution to after hours and hours of frustration — which you promptly forget only to have them come out of nowhere months later? This post is about one of The. Most. Annoying. Gotchas I’ve ever encountered and, to make things right, a cool PowerShell cmdlet that makes it all OK.
In Active Directory Federation Services (AD FS) — and other Windows Server subsystems that use certificates — an admin often has to provide certificate “thumbprints” (a hash of the public key) to applications for use in communicating with AD FS. Applications use the thumbprint to validate the certs they receive from the various relying parties.
“No problem,” the typical admin thinks. I’ll just cut-and-paste the thumbprint from management console’s certificate snap-in to the app’s web.config file. 30 seconds of work.
Gotcha! As you can see in the animated gif below, when you use the clipboard to cut-and-paste a certificate thumbprint, you get an invisible Unicode garbage character. When you paste the info into your app’s connection definition, it won’t connect and you can stare at the XML file until you are blue in the face but you won’t see the Unicode character. I know I wanted to set fire to the EC2 instance I had this problem with until I discovered this Microsoft problem description — from 2010!
So, it’s clear Microsoft ain’t gonna fix this in my lifetime. But there’s an easy, one-liner PowerShell script you can run to obtain the thumprint you need:
Get-AdfsCertificate. As you see here,
Get-AdfsCertificate outputs an object containing the thumbprint for each of its certs. Very convenient!
Here’s a PowerShell script that pipes the output to a .csv file along with the cert type. Note the
-Encoding ASCII parameter on
Get-AdfsCertificate. Voila! No more gotcha.
Get-AdfsCertificate ` | Select-Object CertificateType, Thumbprint ` | Export-Csv -Path C:\temp\adfsthumbs.csv -Encoding ASCII -NoTypeInformation