Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Course Of The Month
6 days, 14 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Is a Secondary Token needed
Posted on 2015-02-23
I use a AD FS 2.0 server. It shows it is using two certificates. One is the Primary and a Secondary. The Primary is good for expiration date. The Secondary is out of time and needs renewed. My question is, Do I need the Secondary certificate or can it be allowed to expire? Next question, How can I renew this without messing with the Primary. If I look into the renewal I do not see the option to renew the Secondary with the third party.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2 Comments
Active today
There is, strictly speaking, no primary or secondary certificate per se as each certificate is unique and specifically has it expiry date, purpose and uses (as in its usage scenario). MS stated the pre-requisites and there are 4 main type of cert used in AD FS context
- The same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxies in your AD FS farm.
- By default, the SSL certificate is used as the service communications certificate.
- AD FS does not require externally enrolled certificates for token signing.
- By default, AD FS generates and uses its own, internally generated and self-signed certificates for token decryption. AD FS does not require externally enrolled certificates for this purpose.
https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1
You are probably referring to primary and secondary AD FS servers in load balanced mode and the challenge is to sync both server to use the latest non-expired one. To note, typically the renewal is automatic as the MS has stated in link. The primary federation server cert is likely renewed leaving the secondary still with old cert as the changes can only take place at the primary host. Some has attempted to export from primary to import into secondary, but you cannot do that if you are using the AD FS-self-generated certs. In fact it should have been replicated
Such anomaly event should not occur and as shared in the MS forum (which is very similar to your case though), and there may be errors in the event viewer causing the not sync state...eventually the resolution is by re-installing AD FS secondary on the host....https://social.msdn.microsoft.com/Forums/vstudio/en-US/2981abc6-4ea8-4bd8-adb6-8aaac014952d/secondary-adfs-server-does-not-switch-primarysecondary-certificates?forum=Geneva
Overall, this summarise the actions to obtain and configure Token Signing and Token Decryption Certificates for AD FS to ensure that your AD FS token signing and token decryption certificates are up to date. It is good to run through this. https://technet.microsoft.com/en-us/library/dn781426.aspx
When externally enrolled certificates are used for token signing, AD FS does not perform automatic certificate renewal or rollover. This process must be performed by an administrator. So if you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually. https://msdn.microsoft.com/en-us/library/azure/jj933264.aspx#BKMK_NotADFSCert
- The same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxies in your AD FS farm.
- By default, the SSL certificate is used as the service communications certificate.
- AD FS does not require externally enrolled certificates for token signing.
- By default, AD FS generates and uses its own, internally generated and self-signed certificates for token decryption. AD FS does not require externally enrolled certificates for this purpose.
https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1
You are probably referring to primary and secondary AD FS servers in load balanced mode and the challenge is to sync both server to use the latest non-expired one. To note, typically the renewal is automatic as the MS has stated in link. The primary federation server cert is likely renewed leaving the secondary still with old cert as the changes can only take place at the primary host. Some has attempted to export from primary to import into secondary, but you cannot do that if you are using the AD FS-self-generated certs. In fact it should have been replicated
Such anomaly event should not occur and as shared in the MS forum (which is very similar to your case though), and there may be errors in the event viewer causing the not sync state...eventually the resolution is by re-installing AD FS secondary on the host....https://social.msdn.microsoft.com/Forums/vstudio/en-US/2981abc6-4ea8-4bd8-adb6-8aaac014952d/secondary-adfs-server-does-not-switch-primarysecondary-certificates?forum=Geneva
Overall, this summarise the actions to obtain and configure Token Signing and Token Decryption Certificates for AD FS to ensure that your AD FS token signing and token decryption certificates are up to date. It is good to run through this. https://technet.microsoft.com/en-us/library/dn781426.aspx
When externally enrolled certificates are used for token signing, AD FS does not perform automatic certificate renewal or rollover. This process must be performed by an administrator. So if you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually. https://msdn.microsoft.com/en-us/library/azure/jj933264.aspx#BKMK_NotADFSCert
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten.
The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012.
Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses
Course of the Month6 days, 14 hours left to enroll
726 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.