ADFS Token Signing Certificate

To renew the ADFS Token Signing Certificate is an every year come back task except if you have set the token not to expire after 365 days. The procedure we use and I describe in this post is based on this straight forward article posted by Andi Sichel on his Blog > adfs-exchange-wap-1-jahr-nach-der-installation

First let’s get clear with the meaning of some relevant attributes and values appearing in the output of the following command :

Get-ADFSProperties | fl

CertficateGenerationThreshold :
Has by default a value of 20 ( days ) . This means that 20 days before the current primary ADFS Token Signing Certificate expires , a secondary certificate will be generated ( this will be the new ADFS Token Signing Certificate after the current one expires ). This one will be visible as secondary ADFS Token Signing Certificate in the ADFS Management Console.

AutoCertificateRollover :
The default value of this attribute should be set to $True and should only be changed to $False for the time when the automatically created secondary ADSF Token Signing Certificate will be assigned as primary ADFS Token Signing Certificate.

CertificatePromotionThreshold :
This attribute is important and should be monitored before the upcoming expiration of the current ADFS Token Signing Certificate. It defines after how many days ( counting from the creation date of the secondary ADFS Token Signing certificate ) the new certificate will be defined automatically as primary. If the value of this attribute is set to 15 it means that the secondary certificate will be assigned as primary automatically after 15 days.
Based on the example above the servers should be updated with the thumbprint of the new certificate maximum 15 days ( better earlier ) after the creation of the secondary ADFS Token Signing Certificate.

Here we go :

1On your ADFS Server open the ADFS Console :
Server Manager > Tools > AD FS Management > ADFS > Services > Certificates

You will see the newly generated certificate as secondary certificate :
Right-click on it > View Certificate > Details > Copy To File > Next > choose DER > choose File Location > Export

[ in this phase you will notice that the Set Primary option on the secondary certificate is grayed out ]

2Copy the just exported secondary certficate to all Exchange Servers with a CAS role.
If needed copy the just exported certificate to all applications servers interacting via ADFS with your Exchange environment.

3Import the certficate on all servers where you have exported the certificate :
MMC > Add/Remove Snap-in > Certificates > Computer Account > Next > Finish > Ok

Expand Trusted Root Certificates :
Right-click on Certificates > All Tasks > Import > Local Machine > Choose the exported certificate > Next > Next > Finish

4Open an elevated Power Shell window on your ADFS Server and issue the following command :

Get-ADFSProperties | *cert* | fl

Set the value of the AutoCertificationRollover attribute to $False :

Set-ADFSProperties -AutoCertificationRollover $False

Open the AD FS Management Console and set the secondary ADFS Token Signing Certificate as primary.
Do the same with the ADFS Encryption Certificate ( under Token-decrypting ).

From this point on you will have an interruption in your ADFS services until the new primary ADFS Token Signing Certificate has been introduced on the Exchange Servers with CAS role. We do this in step 6 !

After the new certificates ( ADFS Token Signing and ADFS Encryption ) have been assigned as primary set the AutoCertificationRollover attribute to $True again :

Set-ADFSProperties -AutoCertificationRollover $True

5Copy the thumbprint of the new ADFS Token Signing Certificate.

In the elevated ADFS Powershell use the following command :

Get-ADFSCertificate -CertificateType “Token Signing” | Fl

In case of more certificates focus on the ‘not Before’ and ‘not After’ date to find the current primary certificate !
Copy the thumbprint.

Introduce the new ADFS Token Signing Certificate thumbprint on the Exchange Servers with CAS Role.

Open an elevated Exchange Powershell and paste the thumbprint at the end of the following command :

Set-OrganizationConfig -ADFSSignCertificateThumbprint ThumbprintGoesHere

Make an iisreset /noforce on all Exchange Servers with CAS role installed.

Perform a login via OWA to check that it works.


Leave a Reply

Your email address will not be published. Required fields are marked *