exchange 2016 adfs Certificate validity issue

hurry hao 221 Reputation points
2021-05-03T08:29:00.497+00:00

https://learn.microsoft.com/zh-cn/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2016#step-1-review-the-certificate-requirements-for-ad-fs

Refer to the above link and see that exchange needs to import adfs self-signed certificate, the default validity period is 30 days.

Set the validity period time command as Set-AdfsProperties -CertificateDuration <Days>

  1. What is the maximum value that can be set?
  2. If I have multiple adfs, do I need to import a certificate that trusts each adfs on the exchange?
  3. If I import the trusted adfs certificate first, and then use the above command to update the validity time of the certificate, do I need to re-import and trust it on the exchange?
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2021-05-03T21:40:05.92+00:00

    The default validity time for the self-signed Token Signing Certificate is 365 days (not 30).

    1. I am not sure of the maximum value. I have seen customers with 3 years (that's the longest I have seen being used, but it is not the longest accepted value)
    2. The Token Signing Certificate (the cert required to create the trust) is a farm certificate. It is the same pair of keys on every nodes.
    3. The command is taking effect only for the next certificate generation cycle.