Solved

AD FS Certificate question

Posted on 2015-01-03
3
574 Views
Last Modified: 2015-01-23
I am running ADFS, I have an ADFS Proxy and i have Office 365.  

Simply put my certificates have expired.  I am not ADFS expert but it is left to me to resolve so i need some assistance.  the cert was automatically renewed at godaddy.  i downloaded the cert to the primary ADFS Server and i have updated in ADFS Manager the Service Communication Certificate i restarted the server,  i can see that a separate certificate has been added under token signing that relates to the new certificate i have installed however it i set to Secondary and the option to set to primary is greyed out.

Also the Token Decrypt cert is also set to an old certificate,  i have automatic certificate renewal is set to true and i believe that this decrypting cert will also renew with time i am not sure.  i do not have the ability to auto add a cert due to this feature being enabled that said i am running server 2012.  is this the case?  Will the decrypt certificate automatically add.  also i need to set the secondary Token Signing certificate to Primary, as i stated it is greyed out.  i read something about a grace period where by it will automatically set itself to primary in about 5 days but this is no good for me if we have no service.  is there a way around it bearing in mind the old certificate is now expired.
0
Comment
Question by:ProjNet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40529724
Take a look at the step-by-step guide here on how to update your ADFS certificates. If auto cert renewal is enabled it will do it for you.

Step-by-Step ADFS Certificates

Will.
0
 
LVL 40

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
ID: 40530014
From what you are describing, seems like the communication cert has expired. The communication cert does not necessarily relate to the token signing/decrypting ones, and as such you shouldn't need to take any further action.

Double-check if the token certs are indeed self signed (as it should be with auto-renewal) and when they will expire. While the auto-renew feature will indeed issue a new cert, updating the metadata for the O365 and any other trusts still need to be performed. You can take advantage of the little script Microsoft provides to automate this process for O365: https://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

Again, this will only help for the O365 trust, if you have any other trusts they will need to be updated once the new certificate/metadata has been published.
0
 

Author Closing Comment

by:ProjNet
ID: 40566650
Thanks, we went through it all
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question