?
Solved

Is a Secondary Token needed

Posted on 2015-02-23
2
Medium Priority
?
57 Views
Last Modified: 2015-03-03
I use a AD FS 2.0 server. It shows it is using two certificates. One is the Primary and a Secondary. The Primary is good for expiration date. The Secondary is out of time and needs renewed. My question is, Do I need the Secondary certificate or can it be allowed to expire? Next question, How can I renew this without messing with the Primary. If I look into the renewal I do not see the option to renew the Secondary with the third party.
0
Comment
Question by:TabDB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40627491
There is, strictly speaking, no primary or secondary certificate per se as each certificate is unique and specifically has it expiry date, purpose and uses (as in its usage scenario). MS stated the pre-requisites and there are 4 main type of cert used in AD FS context
- The same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxies in your AD FS farm.
- By default, the SSL certificate is used as the service communications certificate.
- AD FS does not require externally enrolled certificates for token signing.
- By default, AD FS generates and uses its own, internally generated and self-signed certificates for token decryption. AD FS does not require externally enrolled certificates for this purpose.

https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1

You are probably referring to primary and secondary AD FS servers in load balanced mode and the challenge is to sync both server to use the latest non-expired one. To note, typically the renewal is automatic as the MS has stated in link. The primary federation server cert is likely renewed leaving the secondary still with old cert as the changes can only take place at the primary host. Some has attempted to export from primary to import into secondary, but you cannot do that if you are using the AD FS-self-generated certs. In fact it should have been replicated

Such anomaly event should not occur and as shared in the MS forum (which is very similar to your case though), and there may be errors in the event viewer causing the not sync state...eventually the resolution is by re-installing AD FS secondary on the host....https://social.msdn.microsoft.com/Forums/vstudio/en-US/2981abc6-4ea8-4bd8-adb6-8aaac014952d/secondary-adfs-server-does-not-switch-primarysecondary-certificates?forum=Geneva

Overall, this summarise the actions to obtain and configure Token Signing and Token Decryption Certificates for AD FS to ensure that your AD FS token signing and token decryption certificates are up to date. It is good to run through this. https://technet.microsoft.com/en-us/library/dn781426.aspx

When externally enrolled certificates are used for token signing, AD FS does not perform automatic certificate renewal or rollover. This process must be performed by an administrator. So if you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually. https://msdn.microsoft.com/en-us/library/azure/jj933264.aspx#BKMK_NotADFSCert
0
 

Author Closing Comment

by:TabDB
ID: 40641929
Very good information. Thanks.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question