Solved

AD FS Certificate question

Posted on 2015-01-03
3
376 Views
Last Modified: 2015-01-23
I am running ADFS, I have an ADFS Proxy and i have Office 365.  

Simply put my certificates have expired.  I am not ADFS expert but it is left to me to resolve so i need some assistance.  the cert was automatically renewed at godaddy.  i downloaded the cert to the primary ADFS Server and i have updated in ADFS Manager the Service Communication Certificate i restarted the server,  i can see that a separate certificate has been added under token signing that relates to the new certificate i have installed however it i set to Secondary and the option to set to primary is greyed out.

Also the Token Decrypt cert is also set to an old certificate,  i have automatic certificate renewal is set to true and i believe that this decrypting cert will also renew with time i am not sure.  i do not have the ability to auto add a cert due to this feature being enabled that said i am running server 2012.  is this the case?  Will the decrypt certificate automatically add.  also i need to set the secondary Token Signing certificate to Primary, as i stated it is greyed out.  i read something about a grace period where by it will automatically set itself to primary in about 5 days but this is no good for me if we have no service.  is there a way around it bearing in mind the old certificate is now expired.
0
Comment
Question by:ProjNet
3 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40529724
Take a look at the step-by-step guide here on how to update your ADFS certificates. If auto cert renewal is enabled it will do it for you.

Step-by-Step ADFS Certificates

Will.
0
 
LVL 38

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
ID: 40530014
From what you are describing, seems like the communication cert has expired. The communication cert does not necessarily relate to the token signing/decrypting ones, and as such you shouldn't need to take any further action.

Double-check if the token certs are indeed self signed (as it should be with auto-renewal) and when they will expire. While the auto-renew feature will indeed issue a new cert, updating the metadata for the O365 and any other trusts still need to be performed. You can take advantage of the little script Microsoft provides to automate this process for O365: https://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

Again, this will only help for the O365 trust, if you have any other trusts they will need to be updated once the new certificate/metadata has been published.
0
 

Author Closing Comment

by:ProjNet
ID: 40566650
Thanks, we went through it all
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
If you don't know how to downgrade, my instructions below should be helpful.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
In a previous video Micro Tutorial here at Experts Exchange (http://www.experts-exchange.com/videos/1358/How-to-get-a-free-trial-of-Office-365-with-the-Office-2016-desktop-applications.html), I explained how to get a free, one-month trial of Office …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now