This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 15%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
1、The ADFS token-signing certificates are only used for the relying party?If yes,then why token-signing certificates are used when adding the claims provider?
2、The ADFS token-encryption certificates are only used for the claims provider?If yes,then why token-encryption certificates are used when adding relying party?
In my company, the AutoCertificateRollover is set true.But,token-signing certificates are replaced by people. When it is replaced, we shoud send it to relying parties.
Token-encryption certificates are replaced automatic. When it is repalced,we don't need send the certificates to claims providers or relying parties. Why?
The list of relying parties is very long about 200. The list of claims providers is only one,the AD.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 66%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi, this problem seems to have little to do with Configuration Manager. And I've added the corresponding tag so that someone may help on this. thanks.
Thank you for posting your query on Microsoft Q&A. PFB answer to each of your queries inline:
Because each security token is digitally signed by the account partner (Claims provider), the resource partner (Relying party) can verify that the security token was in fact issued by the account partner and that it was not modified. Digital signatures are verified by the public key portion of a partner's token-signing certificate. After the signature is verified, the resource federation organization, and it signs the security token with its own token-signing server generates its own security token for its certificate.
The token-signing certificate is used to sign the security token, which provides a way for the application to verify that the token was issued by a trusted claims provider. This helps to prevent security attacks such as token forgery or man-in-the-middle attacks.
Token-encryption certificates are used to encrypt the security tokens that are issued by the claims provider before they are sent to the relying party. This provides a way for the relying party to securely receive and decrypt the token (which holds the private key of same encryption certificate)
Yes, once generated manually, then we need to share the metadata or public key with Relying party.
You must ensure that each federation partner is updated with this new certificate in order to avoid an outage. Your federation partner is represented in your AD FS farm by either relying party trusts or claims provider trusts.
Federation partners consume your new certificates by pulling your federation metadata or by receiving the public key of your new certificate from you. Once you've allowed enough time for your federation partners to consume your new certificate, you must promote the secondary certificate to primary certificate.
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
When we change token-signing certificates manually, do we only need to send the public key to the Relying parties,not the claims provider trusts?
In Oct, the token-signing certificates are replaced automaticly in 20-15 days, then all of the Relying parties can not sign in. Does it mean the Relying parties can not pulling my federation metadata?
When the ADFS changes token-encryption certificates automaticly, in fact we did not send it to any Federation partners. Does it mean relying party trusts and claims provider trusts can pull my federation metadata? If so,does it confict with the upper point? Or else,both relying party trusts and claims provider trusts do not use token-encryption certificates.
How can I confirm do the Federation partners can pull my federation metadata?
We can't confirm from ADFS server if the metadata is consumed or not. Federation partners consume your new certificates by pulling your federation metadata.
It's the relying party owner who needs to confirm if they are able to access metadata URL or not.
If your federation partners can't consume your federation metadata, you must manually send them the public key of your new token-signing or token-decrypting certificate.
Send your new certificate public key (.cer file or .p7b if you wish to include the entire chain) to all of your resource organization or account organization partners. Your resource organization or account organization partners are represented in your AD FS by relying party trusts and claims provider trusts. The partners must implement changes on their side to trust the new certificates.
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.