locked
ADFS certificate rollover- token signing RRS feed

Answers

  • Hi,

    How many CP trusts do you have and what's the brand?

    How many RP trusts do you have and how many of those use metadata exchange?

    Please be aware that while you are running out of time as your certs are going to expire you do need time to implement new certs and have those become configured at your CPs and RPs. That takes time.

    If there is no upcoming solution you need to decide at some point in time to manually implement new (self-signed) certs to make sure everything continues to work. Making such a decision on the very last day is really asking for trouble. As soon as your certs expire, your ADFS farm drops dead!


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    • Marked as answer by Masthanomatic Monday, February 4, 2019 1:50 PM
    Tuesday, January 29, 2019 11:06 PM

All replies

  • Look in the logs and see if there is an error renewing the certificate.
    Monday, January 21, 2019 9:11 AM
  • for understanding please check:

    https://jorgequestforknowledge.wordpress.com/2013/05/14/adfs-managed-certificates-supporting-auto-certificate-rollover/


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 21, 2019 9:53 AM
  • the article also applies to ADFSv3 and v4.

    As a suggestion, I would restart the ADFS service.

    Restarting the ADFS service, makes ADFS on that server unavailable during the restart of the service. If you have at least 2 ADFS servers and if you have a load balancer that monitors for availability of the service, restarting the ADFS service should not be a problem. In other scenarios makes sure to plan the restart


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 21, 2019 11:39 AM
  • can you please run Get-ADFSCertificate and for the token certs provide the values for NotBefore and NotAfter?

    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 21, 2019 12:13 PM
  • maybe a stupid question, but is that:

    February 7th 2019

    OR

    July 2nd 2019

    if your cert is going to expire, ADFS should already complain about that. Is it doing that?


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 21, 2019 12:34 PM
  • what's the value for "Certificate Rollover Interval"

    Are there seriously no event Ids in the ADFS admin event log mentioning anything about expiring certs, or the non-ability of generating a new cert?


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 21, 2019 12:48 PM
  • I want to be 100% sure....

    Can you please execute the following:

    (Get-AdfsCertificate | ?{$_.CertificateType -eq "Token-Signing"}).Certificate.NotBefore
    (Get-AdfsCertificate | ?{$_.CertificateType -eq "Token-Signing"}).Certificate.NotAfter

    ...and output the results please?

    Thanks


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 21, 2019 2:25 PM
  • Hi,

    I have not clue WHY it is not updating while it should.

    You could enable the DEBUG log, restart the ADFS service and see if something pops up.

    Nevertheless, you can always execute the following commands manually to trigger the CREATION of the cert for each:

    Update-AdfsCertificate -CertificateType Token-Decrypting

    Update-AdfsCertificate -CertificateType Token-Signing

    DO NOT use the -URGENT parameter as that will ALSO execute the SWITCH immediately.

    As soon as the cert is there, you need to update all the CPs and RPs that do not leverage metadata exchange URL. After updating (assuming all support multiple Token Signing certs from you) you can execute the switch.

    if any CP/RP only supports one Token signing cert, then execute the switch in the weekend and after that update the corresponding CP/RP 


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Wednesday, January 23, 2019 3:49 PM
  • when you are using autocertificate rollover in ADFS, by default you are using self-signed certificates managed by ADFS.

    You can always identify a self-signed certificate by:

    * the issuer = subject

    * it has no AIA extension and no CDP extension

    You can always identify a self-signed certificate managed by ADFS:

    * the issuer = subject

    * it has no AIA extension and no CDP extension

    * ADFS Encryption Cert --> CN=ADFS Encryption - <FQDN Federation Service>

    * ADFS Signing Cert --> CN=ADFS Signing - <FQDN Federation Service>

    see also:

    https://jorgequestforknowledge.wordpress.com/2014/03/14/gathering-architectural-details-from-your-adfs-infrastructure-adfs-certs/


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Wednesday, January 23, 2019 9:40 PM
  • I think you hit the cause of all the issues and why cert rollover is not working.

    What I do not understand is why your fed service farm is still working while you are having cert issues. 

    have you checked the cert sharing container and subobjects exist in AD?

    have you checked ADFS has the correct permissions to that cert sharing container

    see the following:

    https://jorgequestforknowledge.wordpress.com/2018/10/24/setting-fixing-the-correct-permissions-on-your-adfs-certificates-and-or-on-the-certificate-sharing-container/

    If you want you can send me the output of GET-ADFSPROPERTIES and a screendump of the objects in AD. You can contact me through the contact details of my blog


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Friday, January 25, 2019 8:42 AM
  • Check permissions.

    Domain Admins and local administrators of ADFS have rights to enroll self-signed certificate. Make sure that correct permissions are assigned to service account.

    If these certificates are not self-signed, then you need to request new certificate from issuer.

    As suggested before, make sure that expiration date isn't 2nd July 2019. Anyway you may always renew them by hand :-)

    Friday, January 25, 2019 10:42 AM
  • execute the following and mail that back to me USING THE CONTACT DETAILS OF MY BLOG. DO NOT POST HERE

    Install-WindowsFeature RSAT-AD-Tools -IncludeAllSubFeature 
    Import-Module ActiveDirectory
    $adfsService = Get-WmiObject win32_service -filter "name='ADFSSRV'" 
    $currentADFSServiceAccount = $adfsService.StartName
    $fedSvcProps = Get-AdfsProperties
    $dnPathCertSharingContainer = ($fedSvcProps.CertificateSharingContainer).ToString()
    $dnPathCertSharingContainerPath = $(Join-Path "AD:\" $dnPathCertSharingContainer) 
    $aclCertSharingContainer = Get-Acl $dnPathCertSharingContainerPath 
    Write-Host "Service Account....: $currentADFSServiceAccount"
    $aclCertSharingContainer.Access | ?{$_.IdentityReference -eq $currentADFSServiceAccount} | FL
    DIR $dnPathCertSharingContainerPath


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Friday, January 25, 2019 5:01 PM
  • on EACH ADFS server:

    * Enable ADFS debug logging, see https://jorgequestforknowledge.wordpress.com/2014/02/05/enabling-debug-tracing-in-adfs-v2-1-and-v3-0/

    * restart the ADFS service

    * check for errors in the ADFS admin log

    * check for errors in the ADFS debug log

    * disable ADFS debug logging

    * Send the errors to me through my blog contact details

    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Sunday, January 27, 2019 10:03 PM
  • did not receive anything

    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 28, 2019 7:38 PM
  • only see gazillion users typing their username/password incorrectly

    this is yet another one of the weirdest things I have ever seen which I still do not understand why...

    see if the following would tell you anything.

    https://adfshelp.microsoft.com/DiagnosticsAnalyzer/Analyze

    something else: if you are running out of time you can still:

    * call MSFT and raise a case ASAP

    AND/OR

    * manually implement new token signing and token encryption certs. You were already using a self signed cert, so you might as well implement a powershell generated one. See: https://jorgequestforknowledge.wordpress.com/2015/05/23/generating-self-signed-certificates-for-testing-purposes/


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 28, 2019 8:54 PM
  • >>>>we have already logged a case with MS on this

    what have they done or said so far?


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 28, 2019 9:04 PM
  • how the heck is that related to your ADFS cert problems?

    Could you send a mail to me, explain EVERYTHING what happened. Something tells me a lot more happened than you are telling me.


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, January 28, 2019 9:22 PM
  • Hi,

    How many CP trusts do you have and what's the brand?

    How many RP trusts do you have and how many of those use metadata exchange?

    Please be aware that while you are running out of time as your certs are going to expire you do need time to implement new certs and have those become configured at your CPs and RPs. That takes time.

    If there is no upcoming solution you need to decide at some point in time to manually implement new (self-signed) certs to make sure everything continues to work. Making such a decision on the very last day is really asking for trouble. As soon as your certs expire, your ADFS farm drops dead!


    Cheers,

    Jorge de Almeida Pinto

    Lead Consultant | MVP Enterprise Mobility & Security | IAM Technologies

    COMMUNITY...:

    REQUEST: Please mark as answer if it helped you. Thanks!

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    • Marked as answer by Masthanomatic Monday, February 4, 2019 1:50 PM
    Tuesday, January 29, 2019 11:06 PM