Skip Navigation LinksUpdate-ADFS-certificate


Scenario 1 same certificate

*************************

From ADFS Server, connect to O365 using Global admin credentials:

 

VIDEO: Single Sign-On Issues Due to Expired SSL Certificate

http://community.office365.com/en-us/blogs/office_365_community_blog/archive/2011/03/09/video-single-sign-on-issues-due-to-expired-ssl-certificate.aspx

 

Connect-MsolService

 

Add-PSSnapin Microsoft.Adfs.Powershell       

"No need to run in Windows Server 2012 "Add-PSSnapin Microsoft.Adfs.Powershell "

 

Set-ADFSProperties -AutoCertificateRollover $True

 

Update-AdfsCertificate -Urgent

IISRESET

Update-MSOLFederatedDomain –DomainName: example.com

 

(if the organization receive error regarding -SupportMultipleDomain add it, in the comman:

Update-MSOLFederatedDomain -SupportMultipleDomain –DomainName: example.com)

 

Net Stop ADFSSRV

Net Start ADFSSRV

Get-MsolFederationProperty -DomainName example.com

 

 

 

From ADFSProxy server, Run the ADFSProxy Wizard and then use "Enterprise Admin" permissions.

IISRESET

 

Net Stop ADFSSRV

Net Start ADFSSRV

 

Restart the ADFS 2.0 from ADFS and ADFSProxy Server

 

 

========================================================================================

Scenario 2:

When the certificate has changed, it requires to set manually the tokens certificates:

 

Connect-MsolService

Add-PSSnapin Microsoft.Adfs.Powershell

Set-ADFSProperties -AutoCertificateRollover $True

 

Update-ADFSCertificate -CertificateType: Token-Signing

Update-ADFSCertificate -CertificateType: Token-decrypting

 

Set-ADFSProperties -AutoCertificateRollover $False

 

Select the new "Token-Encryption"  certificate and then do right-click and select "Set as Primary"

 

 

 

Select the new "Token-Signing"  certificate and then do right-click and select "Set as Primary"

 

Remove the previous "Token-Signing" and "Token-Encryption" certificates.

 

 

 

 

​ 

 

Set-ADFSProperties -AutoCertificateRollover $True

IISRESET

Update-MSOLFederatedDomain –DomainName: example.com

 

(if the organization receive error regarding -SupportMultipleDomain add it, in the comman:

Update-MSOLFederatedDomain -SupportMultipleDomain –DomainName: example.com)

 

 

Net Stop ADFSSRV

Net Start ADFSSRV

Get-MsolFederationProperty -DomainName example.com

 

From ADFSProxy server, Run the ADFSProxy Wizard and then use "Enterprise Admin" permissions.

IISERESET

 

 

Net Stop ADFSSRV

Net Start ADFSSRV

 

Restart the ADFS 2.0 from ADFS and ADFSProxy Server

 

==============================================================================================

AD FS 2.0: How to Enable and Immediately Use AutoCertificateRollover

Summary

When the GUI Initial Configuration Wizard (ICW) of AD FS 2.0 has been executed, AutoCertificateRollover is automatically enabled by default and the token-signing and token-decrypting certificates are self-signed and maintained by the AD FS 2.0 service.

When the command line ICW of AD FS 2.0 has been executed, AutoCertificateRollover is either on or off depending on the syntax you provided at the command line.

You can optionally turn off AutoCertificateRollover post-ICW by running the following from PowerShell:

Add-PSSnapin Microsoft.Adfs.Powershell

Set-ADFSProperties -AutoCertificateRollover $false

If you have turned off AutoCertificateRollover in the past and you want to turn it back on, there are a few things you need to consider:

  • Simply turning AutoCertificateRollover back on via PowerShell will not immediately cause the self-signed certificates to be generated
  • The self-signed certificates will only be generated once the critical threshold (close to expiration) of your existing certificates has been met
  • There is a way to immediately cause the self-signed certificates to be generated, but this will cause service outage with your partners until they have refreshed from your federation metadata. We recommend causing the certificate generation after hours to avoid an outage. Alternatively, you could work closely with your partners to ensure that they are ready to immediately update via federation metadata (causing a short outage).

If you decide to let the existing certificates hit the critical threshold instead of invoking the certificate generation process, then you only need to re-enable AutoCertificateRollover.

If you decide that you want to immediately generate new self-signed certificates, then you need to first re-enable AutoCertificateRollover and then issue a PowerShell command to invoke immediate certificate generation.

PowerShell command to re-enable AutoCertificateRollover:

Add-PSSnapin Microsoft.Adfs.Powershell

Set-ADFSProperties -AutoCertificateRollover $true

PowerShell command to immediately generate new self-signed certificates:

Add-PSSnapin Microsoft.Adfs.Powershell

Update-AdfsCertificate -Urgent

AD FS, AD FS 2.0, adfs, ADFS 2.0, en-US

 

 http://social.technet.microsoft.com/wiki/contents/articles/1424.ad-fs-2-0-how-to-enable-and-immediately-use-autocertificaterollover.aspx