Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.
Solved
Is a Secondary Token needed
Posted on 2015-02-23
I use a AD FS 2.0 server. It shows it is using two certificates. One is the Primary and a Secondary. The Primary is good for expiration date. The Secondary is out of time and needs renewed. My question is, Do I need the Secondary certificate or can it be allowed to expire? Next question, How can I renew this without messing with the Primary. If I look into the renewal I do not see the option to renew the Secondary with the third party.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2 Comments
Active today
There is, strictly speaking, no primary or secondary certificate per se as each certificate is unique and specifically has it expiry date, purpose and uses (as in its usage scenario). MS stated the pre-requisites and there are 4 main type of cert used in AD FS context
- The same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxies in your AD FS farm.
- By default, the SSL certificate is used as the service communications certificate.
- AD FS does not require externally enrolled certificates for token signing.
- By default, AD FS generates and uses its own, internally generated and self-signed certificates for token decryption. AD FS does not require externally enrolled certificates for this purpose.
https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1
You are probably referring to primary and secondary AD FS servers in load balanced mode and the challenge is to sync both server to use the latest non-expired one. To note, typically the renewal is automatic as the MS has stated in link. The primary federation server cert is likely renewed leaving the secondary still with old cert as the changes can only take place at the primary host. Some has attempted to export from primary to import into secondary, but you cannot do that if you are using the AD FS-self-generated certs. In fact it should have been replicated
Such anomaly event should not occur and as shared in the MS forum (which is very similar to your case though), and there may be errors in the event viewer causing the not sync state...eventually the resolution is by re-installing AD FS secondary on the host....https://social.msdn.microsoft.com/Forums/vstudio/en-US/2981abc6-4ea8-4bd8-adb6-8aaac014952d/secondary-adfs-server-does-not-switch-primarysecondary-certificates?forum=Geneva
Overall, this summarise the actions to obtain and configure Token Signing and Token Decryption Certificates for AD FS to ensure that your AD FS token signing and token decryption certificates are up to date. It is good to run through this. https://technet.microsoft.com/en-us/library/dn781426.aspx
When externally enrolled certificates are used for token signing, AD FS does not perform automatic certificate renewal or rollover. This process must be performed by an administrator. So if you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually. https://msdn.microsoft.com/en-us/library/azure/jj933264.aspx#BKMK_NotADFSCert
- The same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxies in your AD FS farm.
- By default, the SSL certificate is used as the service communications certificate.
- AD FS does not require externally enrolled certificates for token signing.
- By default, AD FS generates and uses its own, internally generated and self-signed certificates for token decryption. AD FS does not require externally enrolled certificates for this purpose.
https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1
You are probably referring to primary and secondary AD FS servers in load balanced mode and the challenge is to sync both server to use the latest non-expired one. To note, typically the renewal is automatic as the MS has stated in link. The primary federation server cert is likely renewed leaving the secondary still with old cert as the changes can only take place at the primary host. Some has attempted to export from primary to import into secondary, but you cannot do that if you are using the AD FS-self-generated certs. In fact it should have been replicated
Such anomaly event should not occur and as shared in the MS forum (which is very similar to your case though), and there may be errors in the event viewer causing the not sync state...eventually the resolution is by re-installing AD FS secondary on the host....https://social.msdn.microsoft.com/Forums/vstudio/en-US/2981abc6-4ea8-4bd8-adb6-8aaac014952d/secondary-adfs-server-does-not-switch-primarysecondary-certificates?forum=Geneva
Overall, this summarise the actions to obtain and configure Token Signing and Token Decryption Certificates for AD FS to ensure that your AD FS token signing and token decryption certificates are up to date. It is good to run through this. https://technet.microsoft.com/en-us/library/dn781426.aspx
When externally enrolled certificates are used for token signing, AD FS does not perform automatic certificate renewal or rollover. This process must be performed by an administrator. So if you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually. https://msdn.microsoft.com/en-us/library/azure/jj933264.aspx#BKMK_NotADFSCert
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
An introduction to the wonderful sport of Scam Baiting. Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
- Anti-Virus Apps
- AntiSpam
- Miscellaneous
- Windows OS, Mac OS X, *YouTube
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller.
Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten.
The USB drive must be s…
Suggested Courses
Course of the Month11 days, 1 hour left to enroll
618 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.