Hi, Have an ADFS 3.0 farm (2 ADFS, 2 WAPs) and am a little confused over an issue i had just experienced.
From my understanding if for example my Token-Signing and Token-Decrypting certs were due to expire on 30-Jan-2017, on 10-jan-2017 the new certs would be generated (old=Primary, new=Secondary). On 15-Jan-2017, the new certs would be switched to primary and
the old will be secondary. During the start period and end (31-Jan-2017) the renewal process for these certs should be more or less seamless to the user and would require little (or no) effort from a sys admin.
Below is my config:
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 1095
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson : Microsoft.IdentityServer.Management.Resources.ContactPerson
IntranetUseLocalClaimsProvider : False
ExtendedProtectionTokenCheck : Allow
Now, from what i have experienced (in relation to the example) on 10-jan-2017 the new certs were generated. This happened over the weekend so on 12-Jan-2017 i was informed that the trusts to other parties were not working (Sharepoint 2010, 3rd party RPTs,
etc). I noticed the new certificates in the adfs console. the old cert was secondary and the new certificates were primary. neiither of these certificates were trusted, so i added them to the trusted root certs (in certificates.mmc).
To restore the sharepoint trust i had to update the server referencing the new cert. Also the 3rd party trusts needed the updated ADFS Signing cert.
Its all working now (i think) but i wanted to diagnose exactly why it did not behave the way i have expected (above). Can anyone shed some light on this?
