Why does Web Application Proxy show the ADFSTokenSigningCertificatePublicKey is “Obsolete”?


We are committed to evolve and improve Web Application Proxy all the time. Shortly after the release, we have identified that maintaining the certificates that validate ADFS tokens in Web Application Proxy can be difficult and prone to error. Therefore we have provided an update that is rolling to all machines running Web Application Proxy using Windows Update as part of May 2014 update - KB 2935608 (http://support.microsoft.com/kb/2935608).

If your machine is up to date, it will no longer display the ADFSTokenSigningCertificatePublicKey and will not let you update it. You would notice a message stating “WARNING: The parameter ADFSTokenSigningCertificatePublicKey is obsolete and will not be set”.

 

Warning received when trying to update the parameter:

 

Web Application Proxy configuration output shows the parameter as obsolete:

 

 

Before you spend any additional time trying to track down a problem certificate, let me assure you that this is not a sign of any issue with your WAP deployment. The message is merely stating that this parameter is obsolete, not the certificate.

 

How about a little background…

Web Application Proxy keeps track of the AD FS Token-signing certificate public key to verify that a client authentication token was issued and signed by the correct trusted AD FS farm. Initially, WAP only obtained the public key once during the initial post-install configuration. If you do not have this update installed then you can view the key stored in the WAP configuration and this will match the public key from the Federation Metadata xml.

  

 

 

This static key storage is not a problem unless the AD FS farm is enabled for automatic certificate rollover. With this configuration, the Token-signing certificate is updated after the defined certificate duration period (default : 1 year). When the AD FS Token-signing certificate updates, the WAP server will no longer be able to verify the client authentication token was issued from the trusted AD FS farm. The AD FS administrator may also update the Token-signing key manually which will have the same affect, any change of this key will result in a problem with WAP. The WAP server will not be able to validate the token signature and client access to published applications will fail. You may see this warning in the Web Application Proxy events: 

 

Warning Event 13012 – Web Application Proxy received a nonvalid edge token signature.

 

Prior to this recent update, the Web Application Proxy storage for the Token-signing key would require a manual update via PowerShell if needed. With the update applied, the Web Application Proxy will monitor the FederationMetadata and automatically retrieve the updated Token-signing key when it changes.

This is why the ADFSTokenSigningCertificatePublicKey parameter is now obsolete. The Token-signing key information is automatically updated and no longer requires a manual reset.

 

 

Billy Price, Senior Escalation Engineer, Web Application Proxy Support team

 

Comments (2)

  1. Article on Azure AD Application Proxy in Network World
    thank you

  2. Hi,

    The error “Web Application Proxy received a nonvalid edge token signature” still occurs if the ADFS metadata lists more than 2 Token Signing certificates. In other words, if your ADFS farm has more than 2 Token Signing certificates configured.

    also see:
    https://jorgequestforknowledge.wordpress.com/2017/02/17/accessing-published-application-through-web-application-proxy-with-adfs-pre-authentication-fails/

    Best Regards,
    Jorge

Skip to main content