ADFS AutoCertificateRollover

BITE (show)
BITE (show) (Photo credit: Wikipedia)
Leaving your ADFS 2.0 installation in AutoCertificateRollover mode will most certainly bite you in the ass at some point.

This is the default mode when you install ADFS, and when your certificate expires, you'll get something that looks like this:Error message
The key to your answer is in the first line:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry.

All you need to do is insert the new thumbprint from your ADFS Token-signing certificate.

Make sure it's all in uppercase, and you've not added any invalid character codes, or spaces in the thumbprint or you will continue to get this error message.

You are better served by generating another certificate for a longer period than the default 1 year. You can easily do this by opening Windows PowerShell and issuing the following:

First, add your snapin:
Add-PsSnapin Microsoft.Adfs.Powershell

Show a list of your ADFS properties.
Get-ADFSProperties

Set your certificate duration for 3 years.
Set-AdfsProperties -CertificateDuration 1095

Immediately update your Issuing certificate, and break any existing RP's that don't consume your Federation Metadata automagically.
Update-AdfsCertificate -Urgent

Update
5/16/2013
This year our cert automatically rolled over, requiring me to not only to update our RP's with the latest certificate, but a custom web app I wrote needed the STS info updated to include BOTH Token Signing Certificate thumbprints.
Enhanced by Zemanta

Comments

Anonymous said…
Yeah... it bit me in the $Arsse.. :-)
Thanks for this post, you're a life saver.
-Yvan
Thu Oct 04, 05:32:00 PM CDT
Anonymous said…
thanks for the post. Learning and dealing with these certificates.

I have the Rollover property enabled.


when you setup the certificate duration to 3 years , are you simply changing the duration of the existing certificate about to expire?

I am using single sign on and RPs office365 and CRM Dynamics. Will the update command take care of updating the certificate for the RPs or do I still need to somehow manually update the RP?


Will there be any downtime when running these commands?

thanks in advance!
Thu Nov 28, 11:59:00 AM CST
John Croson said…
Anon #2: Yes, you will need to update your RP's, since when your certs expire your RP's will stop accepting SAML requests until you get new certs generated and published on the RP side.
Mon Dec 02, 01:05:00 PM CST
Anonymous said…
HI John,

I have around 50 RP's in my ADFS is there is any way/script to update the certificate on all Rp's just after updating it on my ADFS.
Tue Oct 24, 06:20:00 AM CDT
Post a Comment

Popular posts from this blog

freeFTPD

Image
Image by Micah68 via Flickr I've been using FileZilla FTP server for some time now and have been happy for the performance. Recently, we needed the ability to expose the FTP service to another client, and the documents that we'd be receiving would be arriving in an un-encrypted form, unlike our other clients. I decided I could simply enable FTPS , the SSL enabled FTP protocol and open a port to 990 on my ASA 5525 Security Appliance and NAT traffic to our server. Unfortunately I quickly found out that a passive FTPS server behind my firewall won't work without some specific configuration changes as discussed in this article . With all that fussing around, I decided to check out freeFTPd, a single deamon that offers both FTP and SFTP, not to be confused with FTPS, but the secure file transfer protocol that is common to the SSH ( secure shell ) protocol. It's fairly straight forward, but is a bit quirky and the documentation is non-existent. Follow some of my ti...
Read more

Traveling via Amtrak

Image
My wife, son and I recently took a trip to St Louis , to visit her Mom and Dad. We always have a good time, but don't look forward to the drive, as it takes 7 hours or so one way from 'lil old SE Wisconsin . Image via Wikipedia Thankfully, she looked into an older style of travel for our most recent trip to visit G'ma and G'pa; Amtrak . The cost is not much more than it is to drive. Fuel costs driving our mini-van is usually about $120, not to mention the fuel my son expends attempting to break out of his car seat ... The cost for our train ride was $188 with tax. Our son rode for 1/2 price since he is only 3. The trip took nearly the same amount of time, and we could ALL nap on the way down. We were able to bring a small cooler with lunch, play for a couple of hours in the dining car ( coloring books , puzzles, etc.) The only complaint I will lodge is customer service is a bit lacking. Our initial inquiries indicated we had the ability to check a bag, but foun...
Read more

DotNetNuke SEO

Image
I've been reading quite a bit lately on improving SEO for our DotNetNuke website , IHBSOnline.com and quickly realized it just isn't enough to throw up a website, add a listing in a couple of search engines and wait for the masses. First off, the DnnFriendlyUrlProvider, while writing friendlier URL's than older versions of DNN, could be better. This is why you need the iFinity FriendlyURL provider. It is free, but keep in mind it is really designed for a single domain site, and presents other issues with some other 3rd party modules. If you fall into that category, I'd suggest you purchase the full version, as it adds additional functionality you'll need and want. Image by AFP/Getty Images via Daylife I've learned that Google and possibly other search engines actually penalize you if you create duplicate content. The duplicate content issue could easily arise if you have a host that responds to both http://mydomain.com and http://www.mydomain.com. Yo...
Read more