• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 243
  • Last Modified:

token signing and decrypting cert will expire on ADFS servers Exchange 2010 hybrid organization

Hello Experts,

As per file attached, I have a client that has the following infrastructure:

2 MBX Exchange servers in a DAG[Exchange 2010 SP3]

2 CAS/HUB servers

2 ADFS servers with WNLB[Windows 2008 R2 multicast converged nodes]

1 ADFS proxy server  [Windows 2008 R2]

Exchange 2010 hybrid with office 365. One send connector to office 365 and one send connector to route outbound email issues through spam symantec gateway


Both token signing and decrypting certs will expire soon. please respond following questions:

Will my systems be affected once the certs are expired on the ADFS servers? i.e, email systems, ADFS, and so on? Please describe service impact

If so,

Please, describe how and why my systems will be affected.

How can we renew this certs, step by step, using powershell or GUI

Do we have to renew certs individually on each ADFS servers?

Do we have to export/import the new certs onto any other servers?

Please advise
Jerry Seinfield
Jerry Seinfield
2 Solutions
Vasil Michev (MVP)Commented:
You need to renew the cert, otherwise AD FS will stop working, and any services dependent on AD FS for auth as well.

Follow the steps in these articles to replace the token certs:
3.0: http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx
2.0/2.1: http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-2-0-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx
IvanSystem EngineerCommented:

if those certificates are self signed, which is default, then they will auto-renew them self, 20 days before expiration.
Usually only service communications certificate is some public cert.

You should check if auto-renewal is on, but that is by default as well.

Add-PSSnapin Microsoft.Adfs.Powershell


something like this Is a command to check it.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now