exchange 2016 adfs Certificate validity issue

hurry hao 221 Reputation points
2021-05-03T08:29:00.497+00:00

https://learn.microsoft.com/zh-cn/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2016#step-1-review-the-certificate-requirements-for-ad-fs

Refer to the above link and see that exchange needs to import adfs self-signed certificate, the default validity period is 30 days.

Set the validity period time command as Set-AdfsProperties -CertificateDuration <Days>

  1. What is the maximum value that can be set?
  2. If I have multiple adfs, do I need to import a certificate that trusts each adfs on the exchange?
  3. If I import the trusted adfs certificate first, and then use the above command to update the validity time of the certificate, do I need to re-import and trust it on the exchange?
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,242 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
    2021-05-03T21:40:05.92+00:00

    The default validity time for the self-signed Token Signing Certificate is 365 days (not 30).

    1. I am not sure of the maximum value. I have seen customers with 3 years (that's the longest I have seen being used, but it is not the longest accepted value)
    2. The Token Signing Certificate (the cert required to create the trust) is a farm certificate. It is the same pair of keys on every nodes.
    3. The command is taking effect only for the next certificate generation cycle.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.