Is a Secondary Token needed

I use a AD FS 2.0 server. It shows it is using two certificates. One is the Primary and a Secondary. The Primary is good for expiration date. The Secondary is out of time and needs renewed. My question is, Do I need the Secondary certificate or can it be allowed to expire? Next question, How can I renew this without messing with the Primary. If I look into the renewal I do not see the option to renew the Secondary with the third party.
TabDBAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
Advertise Here
 
btanConnect With a Mentor Exec ConsultantCommented:
There is, strictly speaking, no primary or secondary certificate per se as each certificate is unique and specifically has it expiry date, purpose and uses (as in its usage scenario). MS stated the pre-requisites and there are 4 main type of cert used in AD FS context
- The same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxies in your AD FS farm.
- By default, the SSL certificate is used as the service communications certificate.
- AD FS does not require externally enrolled certificates for token signing.
- By default, AD FS generates and uses its own, internally generated and self-signed certificates for token decryption. AD FS does not require externally enrolled certificates for this purpose.

https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1

You are probably referring to primary and secondary AD FS servers in load balanced mode and the challenge is to sync both server to use the latest non-expired one. To note, typically the renewal is automatic as the MS has stated in link. The primary federation server cert is likely renewed leaving the secondary still with old cert as the changes can only take place at the primary host. Some has attempted to export from primary to import into secondary, but you cannot do that if you are using the AD FS-self-generated certs. In fact it should have been replicated

Such anomaly event should not occur and as shared in the MS forum (which is very similar to your case though), and there may be errors in the event viewer causing the not sync state...eventually the resolution is by re-installing AD FS secondary on the host....https://social.msdn.microsoft.com/Forums/vstudio/en-US/2981abc6-4ea8-4bd8-adb6-8aaac014952d/secondary-adfs-server-does-not-switch-primarysecondary-certificates?forum=Geneva

Overall, this summarise the actions to obtain and configure Token Signing and Token Decryption Certificates for AD FS to ensure that your AD FS token signing and token decryption certificates are up to date. It is good to run through this. https://technet.microsoft.com/en-us/library/dn781426.aspx

When externally enrolled certificates are used for token signing, AD FS does not perform automatic certificate renewal or rollover. This process must be performed by an administrator. So if you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually. https://msdn.microsoft.com/en-us/library/azure/jj933264.aspx#BKMK_NotADFSCert
0
 
TabDBAuthor Commented:
Very good information. Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.