ADFS AutoCertificateRollover

BITE (show)
BITE (show) (Photo credit: Wikipedia)
Leaving your ADFS 2.0 installation in AutoCertificateRollover mode will most certainly bite you in the ass at some point.

This is the default mode when you install ADFS, and when your certificate expires, you'll get something that looks like this:Error message
The key to your answer is in the first line:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry.

All you need to do is insert the new thumbprint from your ADFS Token-signing certificate.

Make sure it's all in uppercase, and you've not added any invalid character codes, or spaces in the thumbprint or you will continue to get this error message.

You are better served by generating another certificate for a longer period than the default 1 year. You can easily do this by opening Windows PowerShell and issuing the following:

First, add your snapin:
Add-PsSnapin Microsoft.Adfs.Powershell

Show a list of your ADFS properties.
Get-ADFSProperties

Set your certificate duration for 3 years.
Set-AdfsProperties -CertificateDuration 1095

Immediately update your Issuing certificate, and break any existing RP's that don't consume your Federation Metadata automagically.
Update-AdfsCertificate -Urgent

Update
5/16/2013
This year our cert automatically rolled over, requiring me to not only to update our RP's with the latest certificate, but a custom web app I wrote needed the STS info updated to include BOTH Token Signing Certificate thumbprints.



Enhanced by Zemanta

Comments

Anonymous said…
Yeah... it bit me in the $Arsse.. :-)
Thanks for this post, you're a life saver.
-Yvan
Anonymous said…
thanks for the post. Learning and dealing with these certificates.

I have the Rollover property enabled.


when you setup the certificate duration to 3 years , are you simply changing the duration of the existing certificate about to expire?

I am using single sign on and RPs office365 and CRM Dynamics. Will the update command take care of updating the certificate for the RPs or do I still need to somehow manually update the RP?


Will there be any downtime when running these commands?

thanks in advance!
John Croson said…
Anon #2: Yes, you will need to update your RP's, since when your certs expire your RP's will stop accepting SAML requests until you get new certs generated and published on the RP side.
Anonymous said…
HI John,

I have around 50 RP's in my ADFS is there is any way/script to update the certificate on all Rp's just after updating it on my ADFS.

Popular posts from this blog

NPI Search Redundancy

freeFTPD

Using ImageMagick and Tesseract to sort TIFFs on Windows