There is an IP specific binding

The IP:port binding takes the highest precedence. If an IP:port binding is in the AD FS SSL certificate bindings, http.sys always uses the certificate for the binding for SSL communication. To solve this problem, use the following methods.

Method 1: Remove the IP:port binding

Be aware that the IP:port binding may come back after you removed it. For example, an application configured with this IP:port binding may automatically recreate it on the next service start-up.

Method 2: Use another IP address for AD FS SSL communication

If the IP:port binding is required, resolve the ADFS service FQDN to another IP address that is not used in any bindings. That way, http.sys will use the Hostname:port binding for SSL communication.

Method 3: Set AdfsTrustedDevices as the CTL Store for the IP:port binding

This is the last resort if you can’t use the methods above. But it is better to understand the following conditions before you change the default CTL store to AdfsTrustedDevices:

  • Why the IP:port binding is there.

  • If the binding relies on the default CTL store for client certificate authentication.

Is the problem solved?

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!