Set-SPSecurityTokenServiceConfig

Updates the settings of the SharePoint security token service (STS) identity provider.

Syntax

Set-SPSecurityTokenServiceConfig
   -QueueSigningCertificateThumbprint <String>
   [-AssignmentCollection <SPAssignmentCollection>]
   [-Confirm]
   [-FormsTokenLifetime <Int32>]
   [-MaxLogonTokenCacheItems <Int32>]
   [-MaxServiceTokenCacheItems <Int32>]
   [-QueueSigningCertificateStoreName <String>]
   [-ServiceTokenCacheExpirationWindow <Int32>]
   [-ServiceTokenLifetime <Int32>]
   [-WhatIf]
   [-WindowsTokenLifetime <Int32>]
   [<CommonParameters>]
Set-SPSecurityTokenServiceConfig
   -RevokeSigningCertificateThumbprint <String>
   [-AssignmentCollection <SPAssignmentCollection>]
   [-Confirm]
   [-FormsTokenLifetime <Int32>]
   [-MaxLogonTokenCacheItems <Int32>]
   [-MaxServiceTokenCacheItems <Int32>]
   [-RevokeSigningCertificateStoreName <String>]
   [-ServiceTokenCacheExpirationWindow <Int32>]
   [-ServiceTokenLifetime <Int32>]
   [-WhatIf]
   [-WindowsTokenLifetime <Int32>]
   [<CommonParameters>]
Set-SPSecurityTokenServiceConfig
   -SigningCertificateThumbprint <String>
   [-AssignmentCollection <SPAssignmentCollection>]
   [-Confirm]
   [-FormsTokenLifetime <Int32>]
   [-MaxLogonTokenCacheItems <Int32>]
   [-MaxServiceTokenCacheItems <Int32>]
   [-ServiceTokenCacheExpirationWindow <Int32>]
   [-ServiceTokenLifetime <Int32>]
   [-SigningCertificateStoreName <String>]
   [-WhatIf]
   [-WindowsTokenLifetime <Int32>]
   [-QueueSigningCertificateThumbprint <String>]
   [-QueueSigningCertificateStoreName <String>]
   [<CommonParameters>]
Set-SPSecurityTokenServiceConfig
   [-AssignmentCollection <SPAssignmentCollection>]
   [-Confirm]
   [-FormsTokenLifetime <Int32>]
   [-ImportSigningCertificate <X509Certificate2>]
   [-MaxLogonTokenCacheItems <Int32>]
   [-MaxServiceTokenCacheItems <Int32>]
   [-ServiceTokenCacheExpirationWindow <Int32>]
   [-ServiceTokenLifetime <Int32>]
   [-WhatIf]
   [-WindowsTokenLifetime <Int32>]
   [<CommonParameters>]
Set-SPSecurityTokenServiceConfig
   [-AssignmentCollection <SPAssignmentCollection>]
   [-Confirm]
   [-FormsTokenLifetime <Int32>]
   [-MaxLogonTokenCacheItems <Int32>]
   [-MaxServiceTokenCacheItems <Int32>]
   [-QueueSigningCertificate <X509Certificate2>]
   [-ServiceTokenCacheExpirationWindow <Int32>]
   [-ServiceTokenLifetime <Int32>]
   [-WhatIf]
   [-WindowsTokenLifetime <Int32>]
   [<CommonParameters>]
Set-SPSecurityTokenServiceConfig
   [-AssignmentCollection <SPAssignmentCollection>]
   [-Confirm]
   [-FormsTokenLifetime <Int32>]
   [-MaxLogonTokenCacheItems <Int32>]
   [-MaxServiceTokenCacheItems <Int32>]
   [-RevokeSigningCertificate <X509Certificate2>]
   [-ServiceTokenCacheExpirationWindow <Int32>]
   [-ServiceTokenLifetime <Int32>]
   [-WhatIf]
   [-WindowsTokenLifetime <Int32>]
   [<CommonParameters>]

Description

This cmdlet contains more than one parameter set. You may only use parameters from one parameter set and you may not combine parameters from different parameter sets. For more information about how to use parameter sets, see Cmdlet parameter sets.

The Set-SPSecurityTokenServiceConfig cmdlet updates the settings of the SharePoint security token service (STS) identity provider. If a certificate file is used, the certificate must be an X509 certificate with private keys, otherwise an exception is raised.

This cmdlet operates only with certificates that can be exported. To create a certificate which can be used in this cmdlet specify the X509KeyStorageFlags.Exportable bit in the keyStorageFlags parameter of the x509Certificate2 object constructor.

For permissions and the most current information about Windows PowerShell for SharePoint Products, see the online documentation at SharePoint Server Cmdlets.

Examples

--------------------EXAMPLE 1---------------------

Set-SPSecurityTokenServiceConfig -SigningCertificateThumbprint "2796BAE63F1801E277261BA0D77770028F20EEE4"

This example updates the signing certificate of the SharePoint security token service (STS) identity provider with a certificate that has been deployed in the certificate store.

--------------------EXAMPLE 2---------------------

$stsCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "c:\sts.pfx","a",20
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $stsCert

This example imports the signing certificate for the SharePoint STS identity provider.

Parameters

-AssignmentCollection

Manages objects for the purpose of proper disposal. Use of objects, such as SPWeb or SPSite, can use large amounts of memory and use of these objects in Windows PowerShell scripts requires proper memory management. Using the SPAssignment object, you can assign objects to a variable and dispose of the objects after they are needed to free up memory. When SPWeb, SPSite, or SPSiteAdministration objects are used, the objects are automatically disposed of if an assignment collection or the Global parameter is not used.

When the Global parameter is used, all objects are contained in the global store. If objects are not immediately used, or disposed of by using the Stop-SPAssignment command, an out-of-memory scenario can occur.

Type:SPAssignmentCollection
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-Confirm

Prompts you for confirmation before executing the command. For more information, type the following command: get-help about_commonparameters

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-FormsTokenLifetime

Specifies the expiration time, in minutes, for tokens issued to ASP.NET Membership Provider and Role providers. The default value is 1380.

The type must be a valid integer.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-ImportSigningCertificate

Specifies the X.509 certificate object from trusted authentication provider farm.

The type must be a name of a valid X.509 certificate; for example, Certificate1.

Type:X509Certificate2
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-MaxLogonTokenCacheItems

Specifies the maximum number of entries for the in-memory logon token cache. The default value is 250 entries.

The type must be a valid integer.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-MaxServiceTokenCacheItems

Specifies the maximum number of entries for the in-memory service token cache. The default value is 250 entries.

The type must be a valid integer.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-QueueSigningCertificate

Sets the provided certificate as the queued signing certificate.

Type:X509Certificate2
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-QueueSigningCertificateStoreName

The store to search in when looking up a certificate to be set as the queued signing certificate by its thumbprint. Required if QueueSigningCertificateThumbprint was specified.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-QueueSigningCertificateThumbprint

Sets the certificate with the provided thumbprint as the queued signing certificate.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-RevokeSigningCertificate

Revokes the signing certificate that matches the provided certificate.

Type:X509Certificate2
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-RevokeSigningCertificateStoreName

The store to search when looking up a certificate to be revoked by its thumbprint. Required if the QueueSigningCertificateThumbprint was specified.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-RevokeSigningCertificateThumbprint

Revoke the signing certificate with the provided thumbprint.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-ServiceTokenCacheExpirationWindow

Specifies the interval, in minutes, for automatically renewing the token in the cache. The default value is 2 minutes.

The type must be a valid integer.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-ServiceTokenLifetime

Specifies the expiration time, in minutes, for the security token service cache. The default value is 15 minutes.

The type must be a valid integer.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-SigningCertificateStoreName

Specifies the certificate store where the signing certificate resides. The identity store for an identity provider can be a SQL database table, an Active Directory Domain Services (AD DS), or Active Directory Lightweight Directory Service (AD LDS).

The type must be a valid identity of a signing certificate store; for example IdentityStore1.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-SigningCertificateThumbprint

Specifies the thumbrpint of the signing certificate.

The type must be a valid identity of a signing certificate; for example 2796BAE63F1801E277261BA0D77770028F20EEE4.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-WhatIf

Displays a message that describes the effect of the command instead of executing the command. For more information, type the following command: get-help about_commonparameters

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition

-WindowsTokenLifetime

Specifies the expiration time, in minutes, for tokens issued to Windows users. The default value is 1380 minutes.

The type must be a valid integer.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:SharePoint Server Subscription Edition