John Croson's Blog Home: 06/01/2012 - 07/01/2012

Monday, June 04, 2012

ADFS AutoCertificateRollover

BITE (show)
BITE (show) (Photo credit: Wikipedia)
Leaving your ADFS 2.0 installation in AutoCertificateRollover mode will most certainly bite you in the ass at some point.

This is the default mode when you install ADFS, and when your certificate expires, you'll get something that looks like this:Error message
The key to your answer is in the first line:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry.

All you need to do is insert the new thumbprint from your ADFS Token-signing certificate.

Make sure it's all in uppercase, and you've not added any invalid character codes, or spaces in the thumbprint or you will continue to get this error message.

You are better served by generating another certificate for a longer period than the default 1 year. You can easily do this by opening Windows PowerShell and issuing the following:

First, add your snapin:
Add-PsSnapin Microsoft.Adfs.Powershell

Show a list of your ADFS properties.

Set your certificate duration for 3 years.
Set-AdfsProperties -CertificateDuration 1095

Immediately update your Issuing certificate, and break any existing RP's that don't consume your Federation Metadata automagically.
Update-AdfsCertificate -Urgent

This year our cert automatically rolled over, requiring me to not only to update our RP's with the latest certificate, but a custom web app I wrote needed the STS info updated to include BOTH Token Signing Certificate thumbprints.

Enhanced by Zemanta