?
Solved

token signing and decrypting cert will expire on ADFS servers Exchange 2010 hybrid organization

Posted on 2015-02-04
2
Medium Priority
?
230 Views
Last Modified: 2015-02-04
Hello Experts,

As per file attached, I have a client that has the following infrastructure:

2 MBX Exchange servers in a DAG[Exchange 2010 SP3]

2 CAS/HUB servers

2 ADFS servers with WNLB[Windows 2008 R2 multicast converged nodes]

1 ADFS proxy server  [Windows 2008 R2]

Exchange 2010 hybrid with office 365. One send connector to office 365 and one send connector to route outbound email issues through spam symantec gateway

Issue:

Both token signing and decrypting certs will expire soon. please respond following questions:

Will my systems be affected once the certs are expired on the ADFS servers? i.e, email systems, ADFS, and so on? Please describe service impact

If so,

Please, describe how and why my systems will be affected.

How can we renew this certs, step by step, using powershell or GUI

Do we have to renew certs individually on each ADFS servers?

Do we have to export/import the new certs onto any other servers?

Please advise
0
Comment
Question by:Jerry Seinfield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 42

Accepted Solution

by:
Vasil Michev (MVP) earned 1000 total points
ID: 40588750
You need to renew the cert, otherwise AD FS will stop working, and any services dependent on AD FS for auth as well.

Follow the steps in these articles to replace the token certs:
3.0: http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx
2.0/2.1: http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-2-0-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx
0
 
LVL 17

Assisted Solution

by:Ivan
Ivan earned 1000 total points
ID: 40588881
Hi,

if those certificates are self signed, which is default, then they will auto-renew them self, 20 days before expiration.
Usually only service communications certificate is some public cert.

You should check if auto-renewal is on, but that is by default as well.

Add-PSSnapin Microsoft.Adfs.Powershell

Get-ADFSProperties  

something like this Is a command to check it.

Regards,
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month15 days, 15 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question