ADFS Server Core Token Signing Certificate

ADFS Server Core

Hi there, we have upgraded our servers. ADFS servers are running on Windows Server 2019 Core now. Therewith the method of the yearly renewal of the Token Signing Certificate has changed to PowerShell only.

I have just finished the renewal of the Token Signing Certificate via Powershell in our test environment. In this post, I will sum up the steps.

In case you want to renew the Token Signing certificate via GUI on an appropriate server see this post: Renew ADFS Token Signing Certificate

Let’s start with a short description of relevant ADFS properties: [Get-ADFSProperties | fl *cert*]

CertficateGenerationThreshold :

Has by default a value of 20 ( days ). That means that 20 days before the current primary ADFS Token Signing Certificate expires, a secondary certificate will be generated ( this will be the new cert after the current one expires ). You can check if the secondary certificate has already been created withe the following commands:

Get-AdfsCertificate -CertificateType Token-Signing
Get-AdfsCertificate -CertificateType Token-Decrypting

When the secondary certificate exists the ouput should list minimum two certificates. Focus on the certificate which has the attribute IsPrimary set to False. Verify that the Not Before: date is correct.

AutoCertificateRollover :

The default value of this attribute should be set to $True and should only be changed to $False for the time when the automatically created secondary certificate will be assigned as the primary ADFS certificate. When you manually renew the Token Signing Certificate this should always be set to $False. Otherwise, the secondary certificate will be promoted as the primary certificate automatically. Web logins to application servers will not be possible until the new certificate has not been introduced on the affected application servers.

CertificatePromotionThreshold :

This attribute is important and should be monitored before the upcoming expiration of the current ADFS Token Signing Certificate. It defines after how many days ( counting from the creation date of the secondary ADFS certificate ) the new certificate will be defined automatically as primary.
If the value of this attribute is set to 15 it means that the secondary certificate will be assigned as primary automatically after 15 days.
Based on the example above the servers should be updated with the thumbprint of the new certificate maximum of 15 days ( better earlier ) after the creation of the secondary ADFS Token Signing Certificate.

CertificateRolloverInterval :

Defines the interval in minutes at which ADFS checks if a new certificate needs to be generated. The default value is 720. If you change the values above accordingly to their meaning and your needs you can lower this value to 5 minutes for instance to generate the secondary certificate if it has not been generated yet. Set it back to default afterward.

Microsoft describes these properties here.

With that being said we are good to go. Log on to your ADFS Server Core.

1 - ADFS Server CoreQuery the secondary Token Signing and Decrypting certificates

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $False}

Note the thumbprints. You will need them later.

2 -Export the secondary Token Signing Certificate

Export the certificate to a location you can reach from the application servers. I usually export the cert to a local folder on the ADFS server.

$certRefs=Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
[System.IO.File]::WriteAllBytes(“C:\PathToExportFolder\CertName.cer”, $certBytes)

3 -Import the certificate from your ADFS Server Core to all Exchange servers

The certificate will be imported to the Trusted Root Certification Authority of LocalMachine:

Import-Certificate -FilePath \\ADFSServerName\c`$\PathToExportFolderOnADFSServer\CertName.cer -CertStoreLocation Cert:\LocalMachine\Root

You can check that the certificate has been imported successfully via remote MMC from a GUI server:

MMC > Add/Remove Snap-in > Certificates > Computername > This snap-in will manage: Another Computer > Enter the ServerName where you just have imported the certificate.

Navigate to ServerName\Trusted Root Certification Authorities > Certificates and verify that the imported ADFS Signing certificate is there.

Of course you can check it with PowerShell as well:

Set-Location -Path cert:\LocalMachine\root
Get-ChildItem | where {$_.subject -like “*ADFS*”} | fl

4 -Promote the new secondary certificate to primary on ADFS Server Core

After this logins to web services on the involved application servers using ADFS will not be possible until the new certificate has been introduced on the application servers! ( E.g. Exchange OWA )

Set AutoCertificationRollover to False to be able to promote your secondary certificate to primary:

Set-ADFSProperties -AutoCertificateRollover $False

Query the thumbprint of the new Token Signing and Decrypting certificates:

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $False}

Note the thumbprint of both certificates.

Promote both secondary certificates ( Token Signing and Decrypting ) to primary:

Set-AdfsCertificate -IsPrimary -CertificateType “Token-Signing” -Thumbprint ThumbprintGoesHere
Set-AdfsCertificate -IsPrimary -CertificateType “Token-Decrypting” -Thumbprint ThumbprintGoesHere
However, I got an error here stating that I need to add the certificate first. When I tried to add the Token Signing certificate on ADFS Server Core:

Add-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}

The output was a message stating the certificate is already added.

I think you need to wait a little bit after you set AutoCertificateRollover to True. Several tries later it succeeded. To be honest I could not identify the cause – I just assume it could have been the elapsed time after I set AutoCertificateRollover to True.

Verify that the new certificates have the primary status:

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $True}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $True}

Switch AutoCertificateRollover back to True:

Set-ADFSProperties -AutoCertificateRollover $True

Check it:

Get-ADFSProperties | fl *cert*

AutoCertificateRollover should be True!

5 -Introduce the new Token Signing Certificate to the Exchange organization

It is enough to fire the following command once from an Exchange Server within your organization:

Set-OrganizationConfig -AdfsSignCertificateThumbprint ADFSTokenSigningCertThumbprint

Verify the AdfsSignCertificateThumbprint:

Get-OrganizationConfig | select adfs*

Restart IIS:

iisreset /noforce

Or Restart IIS remotely:

invoke-command -computername “ServerName” -scriptblock {iisreset /noforce}

Now try to login via web frontend to your application servers. ( try an Outlook on the Web login )

That’s it ADFS Server Core Smiley

Stay healthy!

Leave a Reply

Your email address will not be published. Required fields are marked *