ADFS 3.0 auto renewal of certificates RRS feed

  • Question

  • Hi, Have an ADFS 3.0 farm (2 ADFS, 2 WAPs) and am a little confused over an issue i had just experienced.

    From my understanding if for example my Token-Signing and Token-Decrypting certs were due to expire on 30-Jan-2017, on 10-jan-2017 the new certs would be generated (old=Primary, new=Secondary). On 15-Jan-2017, the new certs would be switched to primary and the old will be secondary. During the start period and end (31-Jan-2017) the renewal process for these certs should be more or less seamless to the user and would require little (or no) effort from a sys admin.

    Below is my config:

    AutoCertificateRollover                    : True
    CertificateCriticalThreshold               : 2
    CertificateDuration                        : 1095
    CertificateGenerationThreshold             : 20
    CertificatePromotionThreshold              : 5
    CertificateRolloverInterval                : 720

    CertificateThresholdMultiplier             : 1440
    ClientCertRevocationCheck                  : None
    ContactPerson                              : Microsoft.IdentityServer.Management.Resources.ContactPerson

    IntranetUseLocalClaimsProvider             : False
    ExtendedProtectionTokenCheck               : Allow

    Now, from what i have experienced (in relation to the example) on 10-jan-2017 the new certs were generated. This happened over the weekend so on 12-Jan-2017 i was informed that the trusts to other parties were not working (Sharepoint 2010, 3rd party RPTs, etc). I noticed the new certificates in the adfs console. the old cert was secondary and the new certificates were primary. neiither of these certificates were trusted, so i added them to the trusted root certs (in certificates.mmc).

    To restore the sharepoint trust i had to update the server referencing the new cert. Also the 3rd party trusts needed the updated ADFS Signing cert.

    Its all working now (i think) but i wanted to diagnose exactly why it did not behave the way i have expected (above). Can anyone shed some light on this?

    Wednesday, April 19, 2017 1:27 PM

All replies

  • The problem is that rolling over certs does nothing on the RP side.

    If they automatically check for new metadata, OK otherwise you have to do this manually.

    Wednesday, April 19, 2017 6:59 PM