locked
ADFS 2.0 - Renewing certificates RRS feed

  • Question

  • Hello all Microsoft geeks,

    I am standing before renewal process for our production ADFS 2.0 farm - 2 servers and as proxy we use UAG server. I would like to ask you what is standard process for it if there is any. We use public CA certificates published by Verisign. Can I proceed this via renewal process in IIS on both servers? We use ADFS for own SSO applications between our company and partners. Do you have any experience with that? I have read some topics on the internet but i am not quite sure.

    Thanks for each comment

    Libor


    Liibas

    Wednesday, January 2, 2013 2:35 PM

Answers

  • In ADFSv2 the following certificates can be used:
    * Security Token Service (STS) servers
        * SSL Communications cert
        * Token Signing Cert (THE cert the federation trust is based upon!)
        * Token Decryption Cert
    * Proxy Service (PRX) servers
        * SSL Communications cert
     
    because you are not using the auto certificate rollover feature, the following applies to you
    [SSL cert on STS servers]
    when using a farm of STS servers you need to install the SSL cert on every individual STS server, permission the ADFS service account to have read permissions on the private key (if new) on every individual STS server and configure/set the new SSL cert in the ADFS management console. For the latter choose one of the STS servers when using a SQL farm or choose the primary STS server when using the WID farm. In addition configure IIS (default website) on every individual STS farm member to use the new SSL cert in the binding
     
    [Token Signing cert on STS servers]
    when using a farm of STS servers you need to install the token signing cert on every individual STS server, permission the ADFS service account to have read permissions on the private key (if new) on every individual STS server and configure/set the new token signing cert in the ADFS management console as SECONDARY. For the latter choose one of the STS servers when using a SQL farm or choose the primary STS server when using the WID farm. After configuring the new token signing cert as secondary, you need to make sure you distribute the public part of the token signing cert to EVERY configured replying party. The relying party in this case can be an application or upstream STS (farm). If you are publishing the federation metadata (and you should!!!) and the RPs are consuming the the metadata of your STS, those RPs in time will learn about the new cert. For those RPs not consuming the federation metadata of your STS you can send the admins of those RPs the public part of the new token signing cert. Each RP must then update (i.e. add the new cert) to the claims provider trust that represents your STS. After every RP has done this, you can configure your STS to set the new token signing cert as the primary token signing cert
     
    [Token Decryption cert on STS servers]
    when using a farm of STS servers you need to install the token decryption cert on every individual STS server, permission the ADFS service account to have read permissions on the private key (if new) on every individual STS server and configure/set the new token decryption cert in the ADFS management console as SECONDARY. For the latter choose one of the STS servers when using a SQL farm or choose the primary STS server when using the WID farm. After configuring the new token decryption cert as secondary, you need to make sure you distribute the public part of the token signing cert to EVERY configured claims provider or identity provider. The claims provider or identity provider in this case can be a downstream STS (farm). If you are publishing the federation metadata (and you should!!!) and the CPs/IdPs are consuming the the metadata of your STS, those CPs/IdPs in time will learn about the new cert. For those CPs/IdP not consuming the federation metadata of your STS you can send the admins of those CPs/IdP the public part of the new token decryption cert. Each CP/IdP must then update (i.e. add the new cert) to the relying party trust that represents your STS. After every CP/IdP has done this, you can configure your STS to set the new token decryption cert as the primary token decryption cert.
     
    [SSL cert on PRX servers]
    when using a farm of PRX servers you need to install the SSL cert on every individual PRX server and in addition configure IIS (default website) on every individual PRX farm member to use the new SSL cert in the binding
     
    For more details also see:

    <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "Liibas" wrote in message news:d1e30836-91c5-498c-9a7c-e86eafab5d36@communitybridge.codeplex.com...

    Hello all Microsoft geeks,

    I am standing before renewal process for our production ADFS 2.0 farm - 2 servers and as proxy we use UAG server. I would like to ask you what is standard process for it if there is any. We use public CA certificates published by Verisign. Can I proceed this via renewal process in IIS on both servers? We use ADFS for own SSO applications between our company and partners. Do you have any experience with that? I have read some topics on the internet but i am not quite sure.

    Thanks for each comment

    Libor


    Liibas


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    • Proposed as answer by Awinish Thursday, January 3, 2013 10:06 AM
    • Marked as answer by Cicely Feng Tuesday, January 8, 2013 1:59 AM
    Wednesday, January 2, 2013 8:56 PM

All replies

  • This seems to be more suitable for AD FS forum:http://social.msdn.microsoft.com/Forums/en/Geneva/
    Also for details about Certificates,the Security forum is the better place: http://social.technet.microsoft.com/Forums/en/winserversecurity/threads


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Wednesday, January 2, 2013 2:38 PM
  • Hello,

    Thanks for posting comment. I have added question there


    Liibas

    Wednesday, January 2, 2013 3:32 PM
  • In ADFSv2 the following certificates can be used:
    * Security Token Service (STS) servers
        * SSL Communications cert
        * Token Signing Cert (THE cert the federation trust is based upon!)
        * Token Decryption Cert
    * Proxy Service (PRX) servers
        * SSL Communications cert
     
    because you are not using the auto certificate rollover feature, the following applies to you
    [SSL cert on STS servers]
    when using a farm of STS servers you need to install the SSL cert on every individual STS server, permission the ADFS service account to have read permissions on the private key (if new) on every individual STS server and configure/set the new SSL cert in the ADFS management console. For the latter choose one of the STS servers when using a SQL farm or choose the primary STS server when using the WID farm. In addition configure IIS (default website) on every individual STS farm member to use the new SSL cert in the binding
     
    [Token Signing cert on STS servers]
    when using a farm of STS servers you need to install the token signing cert on every individual STS server, permission the ADFS service account to have read permissions on the private key (if new) on every individual STS server and configure/set the new token signing cert in the ADFS management console as SECONDARY. For the latter choose one of the STS servers when using a SQL farm or choose the primary STS server when using the WID farm. After configuring the new token signing cert as secondary, you need to make sure you distribute the public part of the token signing cert to EVERY configured replying party. The relying party in this case can be an application or upstream STS (farm). If you are publishing the federation metadata (and you should!!!) and the RPs are consuming the the metadata of your STS, those RPs in time will learn about the new cert. For those RPs not consuming the federation metadata of your STS you can send the admins of those RPs the public part of the new token signing cert. Each RP must then update (i.e. add the new cert) to the claims provider trust that represents your STS. After every RP has done this, you can configure your STS to set the new token signing cert as the primary token signing cert
     
    [Token Decryption cert on STS servers]
    when using a farm of STS servers you need to install the token decryption cert on every individual STS server, permission the ADFS service account to have read permissions on the private key (if new) on every individual STS server and configure/set the new token decryption cert in the ADFS management console as SECONDARY. For the latter choose one of the STS servers when using a SQL farm or choose the primary STS server when using the WID farm. After configuring the new token decryption cert as secondary, you need to make sure you distribute the public part of the token signing cert to EVERY configured claims provider or identity provider. The claims provider or identity provider in this case can be a downstream STS (farm). If you are publishing the federation metadata (and you should!!!) and the CPs/IdPs are consuming the the metadata of your STS, those CPs/IdPs in time will learn about the new cert. For those CPs/IdP not consuming the federation metadata of your STS you can send the admins of those CPs/IdP the public part of the new token decryption cert. Each CP/IdP must then update (i.e. add the new cert) to the relying party trust that represents your STS. After every CP/IdP has done this, you can configure your STS to set the new token decryption cert as the primary token decryption cert.
     
    [SSL cert on PRX servers]
    when using a farm of PRX servers you need to install the SSL cert on every individual PRX server and in addition configure IIS (default website) on every individual PRX farm member to use the new SSL cert in the binding
     
    For more details also see:

    <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "Liibas" wrote in message news:d1e30836-91c5-498c-9a7c-e86eafab5d36@communitybridge.codeplex.com...

    Hello all Microsoft geeks,

    I am standing before renewal process for our production ADFS 2.0 farm - 2 servers and as proxy we use UAG server. I would like to ask you what is standard process for it if there is any. We use public CA certificates published by Verisign. Can I proceed this via renewal process in IIS on both servers? We use ADFS for own SSO applications between our company and partners. Do you have any experience with that? I have read some topics on the internet but i am not quite sure.

    Thanks for each comment

    Libor


    Liibas


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    • Proposed as answer by Awinish Thursday, January 3, 2013 10:06 AM
    • Marked as answer by Cicely Feng Tuesday, January 8, 2013 1:59 AM
    Wednesday, January 2, 2013 8:56 PM