Solved

Is a Secondary Token needed

Posted on 2015-02-23
2
50 Views
Last Modified: 2015-03-03
I use a AD FS 2.0 server. It shows it is using two certificates. One is the Primary and a Secondary. The Primary is good for expiration date. The Secondary is out of time and needs renewed. My question is, Do I need the Secondary certificate or can it be allowed to expire? Next question, How can I renew this without messing with the Primary. If I look into the renewal I do not see the option to renew the Secondary with the third party.
0
Comment
Question by:TabDB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40627491
There is, strictly speaking, no primary or secondary certificate per se as each certificate is unique and specifically has it expiry date, purpose and uses (as in its usage scenario). MS stated the pre-requisites and there are 4 main type of cert used in AD FS context
- The same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxies in your AD FS farm.
- By default, the SSL certificate is used as the service communications certificate.
- AD FS does not require externally enrolled certificates for token signing.
- By default, AD FS generates and uses its own, internally generated and self-signed certificates for token decryption. AD FS does not require externally enrolled certificates for this purpose.

https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1

You are probably referring to primary and secondary AD FS servers in load balanced mode and the challenge is to sync both server to use the latest non-expired one. To note, typically the renewal is automatic as the MS has stated in link. The primary federation server cert is likely renewed leaving the secondary still with old cert as the changes can only take place at the primary host. Some has attempted to export from primary to import into secondary, but you cannot do that if you are using the AD FS-self-generated certs. In fact it should have been replicated

Such anomaly event should not occur and as shared in the MS forum (which is very similar to your case though), and there may be errors in the event viewer causing the not sync state...eventually the resolution is by re-installing AD FS secondary on the host....https://social.msdn.microsoft.com/Forums/vstudio/en-US/2981abc6-4ea8-4bd8-adb6-8aaac014952d/secondary-adfs-server-does-not-switch-primarysecondary-certificates?forum=Geneva

Overall, this summarise the actions to obtain and configure Token Signing and Token Decryption Certificates for AD FS to ensure that your AD FS token signing and token decryption certificates are up to date. It is good to run through this. https://technet.microsoft.com/en-us/library/dn781426.aspx

When externally enrolled certificates are used for token signing, AD FS does not perform automatic certificate renewal or rollover. This process must be performed by an administrator. So if you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually. https://msdn.microsoft.com/en-us/library/azure/jj933264.aspx#BKMK_NotADFSCert
0
 

Author Closing Comment

by:TabDB
ID: 40641929
Very good information. Thanks.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question