?
Solved

AD FS Certificate question

Posted on 2015-01-03
3
Medium Priority
?
696 Views
Last Modified: 2015-01-23
I am running ADFS, I have an ADFS Proxy and i have Office 365.  

Simply put my certificates have expired.  I am not ADFS expert but it is left to me to resolve so i need some assistance.  the cert was automatically renewed at godaddy.  i downloaded the cert to the primary ADFS Server and i have updated in ADFS Manager the Service Communication Certificate i restarted the server,  i can see that a separate certificate has been added under token signing that relates to the new certificate i have installed however it i set to Secondary and the option to set to primary is greyed out.

Also the Token Decrypt cert is also set to an old certificate,  i have automatic certificate renewal is set to true and i believe that this decrypting cert will also renew with time i am not sure.  i do not have the ability to auto add a cert due to this feature being enabled that said i am running server 2012.  is this the case?  Will the decrypt certificate automatically add.  also i need to set the secondary Token Signing certificate to Primary, as i stated it is greyed out.  i read something about a grace period where by it will automatically set itself to primary in about 5 days but this is no good for me if we have no service.  is there a way around it bearing in mind the old certificate is now expired.
0
Comment
Question by:ProjNet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40529724
Take a look at the step-by-step guide here on how to update your ADFS certificates. If auto cert renewal is enabled it will do it for you.

Step-by-Step ADFS Certificates

Will.
0
 
LVL 42

Accepted Solution

by:
Vasil Michev (MVP) earned 2000 total points
ID: 40530014
From what you are describing, seems like the communication cert has expired. The communication cert does not necessarily relate to the token signing/decrypting ones, and as such you shouldn't need to take any further action.

Double-check if the token certs are indeed self signed (as it should be with auto-renewal) and when they will expire. While the auto-renew feature will indeed issue a new cert, updating the metadata for the O365 and any other trusts still need to be performed. You can take advantage of the little script Microsoft provides to automate this process for O365: https://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

Again, this will only help for the O365 trust, if you have any other trusts they will need to be updated once the new certificate/metadata has been published.
0
 

Author Closing Comment

by:ProjNet
ID: 40566650
Thanks, we went through it all
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question