Link to home
Start Free TrialLog in
Avatar of o365Adm
o365Adm

asked on

one of your on-premises federation service certification is expiring update now

We are getting the pop when logging to O365 portal. The AutoCertificateRollover property is set to TRUE in ADFS server.
Please let me know if we need to update the certificate manually or it will be taken care by itself.

Attached few logs from the server.
msolfedprop.txt
adfsprops.txt
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

The popup usually shows up several weeks in advance (60 days if I remember correctly), so you have plenty of time to plan. In your case, auto-certificate rollover will take care of replacing the cert. In case you are not using the same cert as the SSL communications cert, your only job is to make sure the metadata is updated after the change happens. You can automate this part by settings up a scheduled task as detailed here: https://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

If you are using the same cert as token signing and SSL comm, you need to plan for replacing it on the AD FS server, Proxy/WAP servers any LBs, etc. Here are the relevant articles:

for AD FS 2.0/2.1 http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx
for AD FS 3.0 http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx
Avatar of o365Adm
o365Adm

ASKER

Hi Vasil,

In my case the AutoCertificateRollover is True, so will it take care of the replacement of cert. If so how many days before the expiry date certificate is updated.

Also how do I know if my server is ADFS 2.x or 3.0.

Thanks you.
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of o365Adm

ASKER

Excellent Vasil.

We have 25 days expiry date so hopefully the federation service will take care of the certificates automatically after 5 days without our involvement.

Thank you so much for taking time. Much Appreciated.
Avatar of o365Adm

ASKER

I got an apt solution from the expert. Thank you.