locked
Correct procedure for ADFS renewal of token-singing/decrypting certificates RRS feed

  • Question

  • Hello,

    My Office 365 portal has thrown a notification stating 'One of your on-premises Federation Service certificates is expiring.  Failure to renew the certificate and update trust properties within XX days will result in a loss of access to all Office 365 services for all users'.

    I can confirm that autorollover is set to true on my ADFS server (not the WAP server).

    I'm seeing plenty of articles that talk about updating the trust following the renewal of the token signing and token decrypting certificates.

    In this MS article - http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx#Replacing_the_Token-Signing_certificate, it states;

    "The new Token-Signing certificate is published in your Federation Metadata, and Relying Party (RP) partners who can consume Federation Metadata will automatically pick up the change whenever they pull your Federation Metadata document. You should work with your RP partners to see how often they pull for Federation Metadata so that, in the event of a certificate replacement, they will experience little to no downtime before trusting your new certificate. If your RP partners cannot consume Federation Metadata, you should be aware of when AutoCertificateRollover will set a new Primary Token-Signing certificate and you will need to plan accordingly to send the public key portion of this certificate to your RP partners."


    If Office 365 is capable of pulling Federation Metadata automatically, is this the process that completes the whole thing? Or, do I still need to update Azure AD about the new certs?

    Bit confused as to the correct procedure.

    Thanks.

    Tuesday, March 29, 2016 11:32 AM

Answers

  • YEs Office365 is capable of pulling the data, as long as the data are available and your ADFS server correctly set up... It is described here: Renewing Federation Certificates for Office 365 and Azure AD https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-o365-certs/

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by MR JH Tuesday, March 29, 2016 1:06 PM
    Tuesday, March 29, 2016 12:55 PM

All replies

  • YEs Office365 is capable of pulling the data, as long as the data are available and your ADFS server correctly set up... It is described here: Renewing Federation Certificates for Office 365 and Azure AD https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-o365-certs/

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by MR JH Tuesday, March 29, 2016 1:06 PM
    Tuesday, March 29, 2016 12:55 PM
  • YEs Office365 is capable of pulling the data, as long as the data are available and your ADFS server correctly set up... It is described here: Renewing Federation Certificates for Office 365 and Azure AD https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-o365-certs/

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Hi Pierre - many thanks for this. Looks like we're all set!
    Tuesday, March 29, 2016 1:06 PM