The AD FS uses the certificate for which the IsPrimary value is set to True. You can also examine the current certificates in the MMC: Service->Certificates. You can run the following Windows PowerShell command: Get-AdfsCertificate –CertificateType token-signing (or Get-AdfsCertificate –CertificateType token-decrypting). You can use the following procedure to identify the primary token signing and token decrypting certificates and to determine when the current certificates expire. AD FS uses CertificatePromotionThreshold to sign tokens that it issues and decrypt tokens that are from identity providers.ĭetermine when the current certificates expire If AD FS is configured to renew token signing and token decrypting certificates automatically ( AutoCertificateRollover is set to True), you can determine when they're renewed:ĬertificateGenerationThreshold describes how many days in advance of the certificate's Not After date a new certificate is generated.ĬertificatePromotionThreshold determines how many days after the new certificate is generated that it's promoted to be the primary certificate. If AD FS isn't configured to renew token signing and token decrypting certificates automatically (for example, if AutoCertificateRollover is set to False), AD FS doesn't automatically generate or use new token signing or token decrypting certificates. Your federation partner is represented in your AD FS farm by either relying party trusts or claims provider trusts. Once the new certificate is configured, you must ensure that each federation partner is updated with this new certificate in order to avoid an outage. If AutoCertificateRollover is set to True, the AD FS certificates are renewed and configured in AD FS automatically. The AutoCertificateRollover property describes whether AD FS is configured to renew token signing and token decrypting certificates automatically. You can run the following Windows PowerShell command: Get-AdfsProperties. Generation occurs both at the initial configuration and when the certificates are approaching their expiration date. Determine whether AD FS renews the certificates automaticallyīy default, AD FS is configured to generate token signing and token decryption certificates automatically. ![]() ![]() ![]() They're also published in federation metadata.įor more information, see Certificate requirements. Token decryption certificates are standard X509 certificates used to decrypt any incoming tokens. Token signing certificates are standard X509 certificates used to securely sign all tokens that the federation server issues. This article describes tasks and procedures that ensure your AD FS token signing and token decryption certificates are up to date.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |