locked
Renewing ADFS Certificates in 2 node farm with 2 WAPs (load balanced) for Office 365 RRS feed

  • Question

  • Hi,

     I'm planning on renewing the ADFS certs on 2012 R2. We'll be doing the following:

    1.      - Allowing the token encrypting and token decrypting certificates to auto renew as AutoCertificateRollover is set to true (will check 2 days before if the certs rollover).<o:p></o:p>

    2.       - Install the new ADFS certificate in the local computer store of both ADFS servers and both WAP servers.<o:p></o:p>

    3.       -Run the following command on each ADFS server:<o:p></o:p>

    a.        “Set-AdfsSslCertificate –Thumbprint <thumbprint>” (applying private key read permissions if needed).<o:p></o:p>

    4.       Check bindings on ADFS servers with:<o:p></o:p>

    a.        “netsh http show sslcert”.<o:p></o:p>

    5.       On the primary ADFS server run:<o:p></o:p>

    a.        “Set-AdfsCertificate -CertificateType Service-Communications –Thumbprint <thumbprint>”<o:p></o:p>

    6.       On the WAP servers, run:<o:p></o:p>

    a.        “Set-WebApplicationProxySslCertificate -Thumbprint <thumbprint>”<o:p></o:p>

    We publish our ADFS metadata publicly. Do we need to run "Update-MsolFederatedDomain -DomainName mydomain.com"?

    Is it safe to do the above during the day or will it incur an outage?

    Thanks

    Tuesday, November 28, 2017 1:23 PM

Answers

  • Thanks for the reply Isaac, here's what happened if anyone else is interested:

    20 days before cert expiry, ADFS generates a secondary certificate, 5 days before the secondary token signing/decrypting cert becomes primary. Manually updated trusts need to be refreshed, however O365 which uses our public metadata self updated.

    I didn't need to run the command below. Above worked fine.

    I spoke to a Ms representative, he said that it's best to do this out of hours as there's a chance of outage.

    Update-MsolFederatedDomain -DomainName mydomain.com 


    Saturday, December 9, 2017 8:57 PM

All replies

  • Are both your SSL certs and the token encrypting/decrypting certs expiring at the same time? changing updating the SSL certs will not cause any downtime as long the certs your are replacing is still valid.

    Changing/updating the token Encryption and token Decryption certs will cause a down time on all the Relying Party trusts. You will also need to have the Relying Party Trusts app owners update their metadata wiith the new certificates. So, yes  you will need to run Update-MSOLFederatedDomain –DomainName to update the trust relationship.


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Friday, December 1, 2017 6:59 AM
  • Thanks for the reply Isaac, here's what happened if anyone else is interested:

    20 days before cert expiry, ADFS generates a secondary certificate, 5 days before the secondary token signing/decrypting cert becomes primary. Manually updated trusts need to be refreshed, however O365 which uses our public metadata self updated.

    I didn't need to run the command below. Above worked fine.

    I spoke to a Ms representative, he said that it's best to do this out of hours as there's a chance of outage.

    Update-MsolFederatedDomain -DomainName mydomain.com 


    Saturday, December 9, 2017 8:57 PM