Recently I encountered a problem with authenticating via my ADFS Server because of an internal PKI CRL that was not reachable (resource provided by a third party, users in my organization). It turns out you can actually disable Revocation Check per Relying Party Trust with PowerShell!
Enumerate your Relying Party Trusts (and Revocation setting) with the following PowerShell command:
Get-AdfsRelyingPartyTrust | Select-Object Identifier, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck
In the resulting list you will find your Relying Party Trusts and their Revocation Check setting. The default setting is “CheckChainExcludeRoot” for signing and encryption. This setting is recommended for security reasons. Occasionally you will find a reason to disable the Revocation check (internal PKIs, ADFS without internet, etc.).
Disable Revocation Checkby using this command:
Possible values for the “SigningCertificateRevocationCheck” and “EncryptionCertificateRevocationCheck” parameters:
Refer to https://technet.microsoft.com/en-us/library/ee892363.aspx for more information.
If you are on the other side of the trust (you are the Relying Party, and have a Claims Provider Trust), you just replace Get-AdfsRelyingPartyTrust with Get-AdfsClaimsProviderTrust and Set-AdfsRelyingPartyTrust with Set-AdfsClaimsProviderTrust. Should work exactly the same way.
Also, identifier needs to be provided with the whole path (https://identifier-URL/adfs/ls/), and not just the url.
One Reply to “ADFS 3.0 Disable Revocation Check (Windows 2012 R2)”
To change (set) the values, then you have to execute:
Set-AdfsRelyingPartyTrust -Identifier | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None
In the above is says:
Get-AdfsRelyingPartyTrust -Identifier | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None