AD FS Certificates

Lim Chong Sun 531 Reputation points
2020-10-22T03:30:33.833+00:00

I know that there are 3 kinds of certificates:

  1. SSL
  2. Token-signing certificate
  3. Token-decryption/encryption certificate

I am adding a new node to my existing AD FS farm. I know that I need to export the current SSL cert with private key and import into the new node before I can configure AD FS.

But what about Token-signing certificate and Token-decryption/encryption certificate? Do I have to do likewise or when I join the new node to the existing farm, these 2 certificate will automatically be imported to the new node?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,277 questions
0 comments No comments
{count} vote

Accepted answer
  1. VipulSparsh-MSFT 16,276 Reputation points Microsoft Employee
    2020-10-22T11:24:19.787+00:00

    @Lim Chong Sun Thanks for reaching out.

    There are two server farm options that you can consider when you obtain token-signing certificates for your deployment:

    1) A private key from one token-signing certificate is shared among all the federation servers in a farm.
    In a federation server farm environment, we recommend that all federation servers share (or reuse) the same token-signing certificate. You can install a single token-signing certificate from a CA on a federation server and then export the private key, as long as the issued certificate is marked as exportable.

    34294-tokensigning1.png

    2) There is a unique token-signing certificate for each federation server in a farm.
    When you use multiple, unique certificates throughout your farm, each server in that farm signs tokens with its own unique private key.

    34341-tokensigning2.png

    Read more about it here : https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/design/token-signing-certificates

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.