Share via

adfs token signing cert manual update

Hippopotamus Defence 116 Reputation points
2021-07-13T16:25:08.573+00:00

A question regarding token signing cert manual update. Some articles mention enabling auto rollover then generate the cert and then disable auto rollover. Is that the correct procedure (currently auto rollover is set to false)?

Also, when two certs are present with the current one as primary and the renewed as secondary, will the relying party trust me able to connect through the new cert/thumbprint or does the new one have to set up as primary for that?

Any pointers to how this needs to be updated in WAP? Microsoft document talked about renewal and didn't have reference to wap.

Thanks!

Microsoft Security | Active Directory Federation Services
0 comments
Accepted answer
  1. Hippopotamus Defence 116 Reputation points
    2021-07-26T20:50:13.443+00:00

    @Pierre Audonnet - MSFT

    The process adopted was:

    Set-ADFSProperties -AutoCertificateRollover $true

    Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
    Update-AdfsCertificate -CertificateType Token-Signing -Urgent

    Set-ADFSProperties -AutoCertificateRollover $false

    O365 didn't update. So, ended up doing Update-MSOLFederatedDomain –DomainName <domain>.

    One thing to note is, it asked "-SupportMultipleDomain" be used with the update-msolfederateddomain command. Apparently, this needs to be done by someone who has admin access to azure ad and also on prem environment.

    After that O365 was in sync with ADFS.

    Thank you for your tips and inputs. Appreciate it.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2021-07-19T12:59:46.763+00:00

    It depends if you are using your own certificates or if you are using the self-signed certificates. At the end of the day, you can change the certificate when you want, it just has a massive impact on the applications (RPT) if you don't communicate effectivelely with them.

    ADFS always signs tokens with the primary token signing certificate. The secondary is just added to the federation metadata to give a change to the RPT to know about it. Ideally the application should be accepting token signed with any valid certificate. That way you don't have to time the change of certificate with the application. The reallity is that most application are not checking metadata nor capabable of having two possible signing certs. So the change has to be "synchronized" with the application owner to ensure minumum service interuption.

    WAPs don't care about token signing certificate. They don't do any token signing operation. They are not affected by token signing (or token encrypting) certificate changes.

    1 person found this answer helpful.
  2. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2021-07-19T21:29:30.07+00:00

    Hum, that's a good question.

    To be on the safe side I would do the following:

    1. Take an ADFS Rapid Restore backup of your farm inclufding DKM info.
    2. Set the CertificatePromotionThreshold and CertificateCriticalThreshold to 1.
    3. Restart the ADFS service.
    4. Enable the roll over.
    5. Generate the new certificates (for both signing and decrytping)
    6. Disable the roll over.

    You should have two certificates. And you can promote the new one manually when you want from the GUI.

    I never tried this. Ideally I would do that in a lab before going prod with it. Altough, if you have a valid backup, you might want to do that in a low activity period (nights or week-end) and roll back if you see the cert changing.

    Ultimately, you can also export the token signin certs using different tools available in GitHub (for a quick restore). At your own risks...

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.