ADFS – Webbanshee

ADFS Server Core Token Signing Certificate

WebBanshee — Wed, 27 Oct 2021 10:38:03 +0000

Hi there, we have upgraded our servers. ADFS servers are running on Windows Server 2019 Core now. Therewith the method of the yearly renewal of the Token Signing Certificate has changed to PowerShell only.

I have just finished the renewal of the Token Signing Certificate via Powershell in our test environment. In this post, I will sum up the steps.

In case you want to renew the Token Signing certificate via GUI on an appropriate server see this post: Renew ADFS Token Signing Certificate

Let’s start with a short description of relevant ADFS properties: [Get-ADFSProperties | fl *cert*]

CertficateGenerationThreshold :

Has by default a value of 20 ( days ). That means that 20 days before the current primary ADFS Token Signing Certificate expires, a secondary certificate will be generated ( this will be the new cert after the current one expires ). You can check if the secondary certificate has already been created withe the following commands:

Get-AdfsCertificate -CertificateType Token-Signing
Get-AdfsCertificate -CertificateType Token-Decrypting

When the secondary certificate exists the ouput should list minimum two certificates. Focus on the certificate which has the attribute IsPrimary set to False. Verify that the Not Before: date is correct.

AutoCertificateRollover :

The default value of this attribute should be set to $True and should only be changed to $False for the time when the automatically created secondary certificate will be assigned as the primary ADFS certificate. When you manually renew the Token Signing Certificate this should always be set to $False. Otherwise, the secondary certificate will be promoted as the primary certificate automatically. Web logins to application servers will not be possible until the new certificate has not been introduced on the affected application servers.

CertificatePromotionThreshold :

This attribute is important and should be monitored before the upcoming expiration of the current ADFS Token Signing Certificate. It defines after how many days ( counting from the creation date of the secondary ADFS certificate ) the new certificate will be defined automatically as primary.
If the value of this attribute is set to 15 it means that the secondary certificate will be assigned as primary automatically after 15 days.
Based on the example above the servers should be updated with the thumbprint of the new certificate maximum of 15 days ( better earlier ) after the creation of the secondary ADFS Token Signing Certificate.

CertificateRolloverInterval :

Defines the interval in minutes at which ADFS checks if a new certificate needs to be generated. The default value is 720. If you change the values above accordingly to their meaning and your needs you can lower this value to 5 minutes for instance to generate the secondary certificate if it has not been generated yet. Set it back to default afterward.

Microsoft describes these properties here.

With that being said we are good to go. Log on to your ADFS Server Core.

Query the secondary Token Signing and Decrypting certificates

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $False}

Note the thumbprints. You will need them later.

Export the secondary Token Signing Certificate

Export the certificate to a location you can reach from the application servers. I usually export the cert to a local folder on the ADFS server.

$certRefs=Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
$certBytes=$certRefs[0].Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes(“C:\PathToExportFolder\CertName.cer”, $certBytes)

Import the certificate from your ADFS Server Core to all Exchange servers

The certificate will be imported to the Trusted Root Certification Authority of LocalMachine:

Import-Certificate -FilePath \\ADFSServerName\c`$\PathToExportFolderOnADFSServer\CertName.cer -CertStoreLocation Cert:\LocalMachine\Root

You can check that the certificate has been imported successfully via remote MMC from a GUI server:

MMC > Add/Remove Snap-in > Certificates > Computername > This snap-in will manage: Another Computer > Enter the ServerName where you just have imported the certificate.

Navigate to ServerName\Trusted Root Certification Authorities > Certificates and verify that the imported ADFS Signing certificate is there.

Of course you can check it with PowerShell as well:

Set-Location -Path cert:\LocalMachine\root
Get-ChildItem | where {$_.subject -like “*ADFS*”} | fl

Promote the new secondary certificate to primary on ADFS Server Core

After this logins to web services on the involved application servers using ADFS will not be possible until the new certificate has been introduced on the application servers! ( E.g. Exchange OWA )

Set AutoCertificationRollover to False to be able to promote your secondary certificate to primary:

Set-ADFSProperties -AutoCertificateRollover $False

Query the thumbprint of the new Token Signing and Decrypting certificates:

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $False}

Note the thumbprint of both certificates.

Promote both secondary certificates ( Token Signing and Decrypting ) to primary:

Set-AdfsCertificate -IsPrimary -CertificateType “Token-Signing” -Thumbprint ThumbprintGoesHere
Set-AdfsCertificate -IsPrimary -CertificateType “Token-Decrypting” -Thumbprint ThumbprintGoesHere

However, I got an error here stating that I need to add the certificate first. When I tried to add the Token Signing certificate on ADFS Server Core:

Add-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}

The output was a message stating the certificate is already added.

I think you need to wait a little bit after you set AutoCertificateRollover to True. Several tries later it succeeded. To be honest I could not identify the cause – I just assume it could have been the elapsed time after I set AutoCertificateRollover to True.

Verify that the new certificates have the primary status:

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $True}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $True}

Switch AutoCertificateRollover back to True:

Set-ADFSProperties -AutoCertificateRollover $True

Check it:

Get-ADFSProperties | fl *cert*

AutoCertificateRollover should be True!

Introduce the new Token Signing Certificate to the Exchange organization

It is enough to fire the following command once from an Exchange Server within your organization:

Set-OrganizationConfig -AdfsSignCertificateThumbprint ADFSTokenSigningCertThumbprint

Verify the AdfsSignCertificateThumbprint:

Get-OrganizationConfig | select adfs*

Restart IIS:

iisreset /noforce

Or Restart IIS remotely:

invoke-command -computername “ServerName” -scriptblock {iisreset /noforce}

Now try to login via web frontend to your application servers. ( try an Outlook on the Web login )

That’s it

Stay healthy!

The post ADFS Server Core Token Signing Certificate appeared first on Webbanshee.

Renew ADFS Token Signing Certificate

WebBanshee — Fri, 07 Jul 2017 05:22:59 +0000

To renew the ADFS Token Signing Certificate is an every year come back task except if you have set the token not to expire after 365 days. The procedure we use and I describe in this post is based on this straight forward article posted by Andi Sichel on his Blog > adfs-exchange-wap-1-jahr-nach-der-installation

You can also find a detailed description on how to do it with PowerShell only

First, let’s get clear with the meaning of some relevant attributes and values appearing in the output of the following command :

Get-ADFSProperties | fl

CertficateGenerationThreshold :
Has by default a value of 20 ( days ) . This means that 20 days before the current primary ADFS Token Signing Certificate expires , a secondary certificate will be generated ( this will be the new cert after the current one expires ). This one will be visible as secondary ADFS Token Signing Certificate in the ADFS Management Console.

AutoCertificateRollover :
The default value of this attribute should be set to $True and should only be changed to $False for the time when the automatically created secondary certificate will be assigned as the primary ADFS certificate.

CertificatePromotionThreshold :
This attribute is important and should be monitored before the upcoming expiration of the current ADFS Token Signing Certificate. It defines after how many days ( counting from the creation date of the secondary ADFS certificate ) the new certificate will be defined automatically as primary.
If the value of this attribute is set to 15 it means that the secondary certificate will be assigned as primary automatically after 15 days.
Based on the example above the servers should be updated with the thumbprint of the new certificate maximum 15 days ( better earlier ) after the creation of the secondary ADFS Token Signing Certificate.

Here we go :

1Export secondary ADFS Token Signing Certificate:

Open ADFS console on your ADFS server:
Server Manager > Tools > AD FS Management > ADFS > Services > Certificates

You will see the newly generated certificate as secondary certificate :
Right-click on it > View Certificate > Details > Copy To File > Next > choose DER > choose File Location > Export

[ in this phase you will notice that the Set Primary option on the secondary certificate is grayed out ]

To export the certificate via PowerShell:

$certRefs=Get-AdfsCertificate -CertificateType Token-Signing
$certBytes=$certRefs[0].Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes(“C:\ADFS-Certs\adfs-token-signing.cer”, $certBytes)

Change the export location in red as you like.

2Copy the exported certificate to your Exchange servers.

3Import the certficate on your Exchange servers:

MMC > Add/Remove Snap-in > Certificates > Computer Account > Next > Finish > Ok

Expand Trusted Root Certificates :
Right-click on Certificates > All Tasks > Import > Local Machine > Choose the exported certificate > Next > Next > Finish

To import the certificate via PowerShell:

Import-Certificate -FilePath “PathToTheCertficate” -CertStoreLocation Cert:\LocalMachine\Root

4Open an elevated PowerShell on your ADFS Server and type:

Get-ADFSProperties | *cert* | fl

Set the value of the AutoCertificationRollover attribute to $False :

Set-ADFSProperties -AutoCertificationRollover $False

Open the AD FS Management Console and set the secondary ADFS Token Signing Certificate as primary.

Do the same with the ADFS Encryption Certificate ( under Token-decrypting ).

From this point on you will have an interruption in your ADFS services until the new primary ADFS certificate has been introduced on the Exchange Servers with CAS role. We do this in step 6 !

After the new certificates ( ADFS Token Signing and ADFS Encryption ) have been assigned as primary set the AutoCertificationRollover attribute to $True again :

Set-ADFSProperties -AutoCertificationRollover $True

5Copy the Thumprint of the new ADFS Token Signing Certificate:

In an elevated ADFS Powershell use the following command :

Get-ADFSCertificate -CertificateType “Token Signing” | Fl

In case of more certificates focus on the ‘not Before’ and ‘not After’ date to find the current primary certificate! Copy the thumbprint.

6Introduce the new ADFS Token Signing Certificate on your Exchange Servers:

Open an elevated Exchange Powershell and paste the thumbprint at the end of the following command :

Set-OrganizationConfig -ADFSSignCertificateThumbprint ThumbprintGoesHere

Make an iisreset /noforce on all Exchange Servers with CAS role installed.

Perform a login via OWA to verify that it works.

Would you like to disable IPv6 on a Server Core ?
Disable IPv6

The post Renew ADFS Token Signing Certificate appeared first on Webbanshee.

OWA inbox not refreshing

WebBanshee — Wed, 15 Feb 2017 17:56:34 +0000

When your OWA inbox is not refreshing and new mails are not displayed automatically.
The mails are just displayed after a manual refresh of the inbox , or when you switch to another folder and back to inbox again.

This happens usually after being idle for some time in OWA.
Ok , this information is a starting point. We use ADFS servers in our environment.
ADFS provides cookies with expiry times to users and tokens with expiry times to relying application servers. ( in this case Exchange Servers ) .

First I open on the ADFS Server the Active Directory Module For Windows PowerShell :

Since you aren’t logged off after a certain time there is no need to check the SSOLifetime under ADFS Properties. Which is set to 12 hours in our environment. It is just the OWA inbox not refreshing.

It seems the session on application server level is timely limited and gets only alive after some manual interaction from user side.

So I check the relying party trust where I can see the cause for this behaviour :

Get-AdfsRelyingPartyTrust | select Identifier, Token* | fl

The TokenLifeTime for the Identifier which belongs to OWA is set to 60 ( in Minutes )

To raise the TokenLifeTime for OWA I use the following command :

Get-AdfsRelyingPartyTrust -Identifier “https://Your_OWA_URL/owa” | Set-AdfsRelyingPartyTrust -TokenLifetime 720

This raises the TokenLifeTime for the relying application URL ( in this case OWA ) to 12 hours or 720 minutes. The same LifeTime as the Cookie LifeTime for user sessions.

OWA inbox not refreshing problem solved !

The post OWA inbox not refreshing appeared first on Webbanshee.