question

HippopotamusDefence-7970 avatar image
0 Votes"
HippopotamusDefence-7970 asked HippopotamusDefence-7970 answered

adfs token signing cert manual update

A question regarding token signing cert manual update. Some articles mention enabling auto rollover then generate the cert and then disable auto rollover. Is that the correct procedure (currently auto rollover is set to false)?

Also, when two certs are present with the current one as primary and the renewed as secondary, will the relying party trust me able to connect through the new cert/thumbprint or does the new one have to set up as primary for that?

Any pointers to how this needs to be updated in WAP? Microsoft document talked about renewal and didn't have reference to wap.

Thanks!

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HippopotamusDefence-7970 avatar image
0 Votes"
HippopotamusDefence-7970 answered

@piaudonn

The process adopted was:

Set-ADFSProperties -AutoCertificateRollover $true

Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
Update-AdfsCertificate -CertificateType Token-Signing -Urgent


Set-ADFSProperties -AutoCertificateRollover $false

O365 didn't update. So, ended up doing Update-MSOLFederatedDomain –DomainName <domain>.

One thing to note is, it asked "-SupportMultipleDomain" be used with the update-msolfederateddomain command. Apparently, this needs to be done by someone who has admin access to azure ad and also on prem environment.

After that O365 was in sync with ADFS.

Thank you for your tips and inputs. Appreciate it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
1 Vote"
piaudonn answered HippopotamusDefence-7970 commented

It depends if you are using your own certificates or if you are using the self-signed certificates. At the end of the day, you can change the certificate when you want, it just has a massive impact on the applications (RPT) if you don't communicate effectivelely with them.

ADFS always signs tokens with the primary token signing certificate. The secondary is just added to the federation metadata to give a change to the RPT to know about it. Ideally the application should be accepting token signed with any valid certificate. That way you don't have to time the change of certificate with the application. The reallity is that most application are not checking metadata nor capabable of having two possible signing certs. So the change has to be "synchronized" with the application owner to ensure minumum service interuption.

WAPs don't care about token signing certificate. They don't do any token signing operation. They are not affected by token signing (or token encrypting) certificate changes.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@piaudonn
Thank you!!

Ours is a self signed cert and expires in about 9 days. We have the following set CertificateGenerationThreshold - 20
CertificatePromotionThreshold - 10 and CertificateCriticalThreshold - 2.

If I were to change to auto-rollover to true, regenerate cert, and then change auto-rollover to false :
1. will the cert change to primary right away since CertificatePromotionThreshold is now 10 and we are past that point (cert expires in 9 days)?
2. Will Azure AD update itself when the cert is generated this way?

A response will be highly appreciated!

0 Votes 0 ·
piaudonn avatar image
1 Vote"
piaudonn answered piaudonn converted comment to answer

Hum, that's a good question.

To be on the safe side I would do the following:

  1. Take an ADFS Rapid Restore backup of your farm inclufding DKM info.

  2. Set the CertificatePromotionThreshold and CertificateCriticalThreshold to 1.

  3. Restart the ADFS service.

  4. Enable the roll over.

  5. Generate the new certificates (for both signing and decrytping)

  6. Disable the roll over.

You should have two certificates. And you can promote the new one manually when you want from the GUI.

I never tried this. Ideally I would do that in a lab before going prod with it. Altough, if you have a valid backup, you might want to do that in a low activity period (nights or week-end) and roll back if you see the cert changing.

Ultimately, you can also export the token signin certs using different tools available in GitHub (for a quick restore). At your own risks...




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


@piaudonn
I will be cutting over to the new cert since everyone has been communicated. Plan is :
- set rollover to true
- update cert
- set rollover to false

A couple of questions:
1. For two adfs in a farm with a SQL database, does this need to be done in each adfs server or would creation in one reflect on the other since it is a single database they are sharing?
2. Since one of the domain is federated in azure ad, will it auto-update based on the fact that we set the rollover to true prior to change? Or Update-MsolFederatedDomain need to be run after the new cert is generated and made primary?

Thank you again!



0 Votes 0 ·
piaudonn avatar image piaudonn HippopotamusDefence-7970 ·

Your plan is different. I recall of a case where enabling the rollover had the effect of promoting the new cert as a primary right away because it was in the CertificatePromotionThreshold already. But I don't recall the specifics and it might have been due to another thing....

  1. Only from one node will be fine (although it brings the question why would you use ADFS with SQL, the use cases are really small...)

  2. In theory yes, it will get them from your federation metadata, but since you do stuff manually, it is possible that the update is missed because of timing (I think it checks once a day, but if you never had the new cert published in the metadata as a secondary, there is no opportunity for Azure AD to get the change). You can use the update cmdLet to force it when it is done.

1 Vote 1 ·