[English] ADFS Token-Signing and Token-Decrypt Certificates Expiration Process and Dates

[English] - Content Developed by the EMEA Cloud Identity Support Team.

By default, Token-Signing and Token-Decrypting Certificates will expire one year after your ADFS was setup. Near to the expiration period you will get the following notification on your Portal Admin Page.
This notification do not apply to SSL Certificate, also known as Service Communications Certificate.

W14

 W15


 

The number of days represents the day where the service will stop. Due to certificate change.

How to calculate the effective day:

The new Certificate will be generated 20 days before the certificate expirations date:
1) Go to Powershell
2) Connect-MsolService
3) Get-MsolFederationProperty
4) Check [CertificateGenerationThreshold: 20]

The new certificate will be promoted to Primary after 5 days:
1) Go to Powershell
2) Connect-MsolService
3) Get-MsolFederationProperty
4) Check [CertificatePromotionThreshold: 5]

Knowing that AD FS Service only uses the primary certificate, as we will switch the certificates 15 days before the current primary certificates expires the service will stop 15 days before the current certificate expiration.

This is not true if the Relying party has been updated on the 5 days that exist between the new certificate creation and the promotion.

Example:
Certificate expires on 30-01-2014.
New certificate will be created on 10-01-1014 and will be marked as Secondary [20 days before expiration].
On the 15-01-2014 the Secondary Certificate is promoted to Primary [5 days after new certificate generation].
If we see the message on the portal on the day 05-01-2014 this should be informing that the service will stop in 10 days, if federation metadata information is not updated.

ADFS default configuration:

Default configuration on AD FS regarding Token Signing and Token Decrypting certificates includes an auto-renewal process, [AutoCertificateRollover].

If you did not change this value from “True” to “False”, no renewal operation regarding token certificates is needed, this will happen automatically based on triggers explained below.

Default values of ADFS - [see details below for default values]:

The Rollover interval is checked by the AD FS service every 720 minutes (12 hours).
If the existing primary certificate (Token Signing or Token Decryption) expiration time is within the window of the CertificateGenerationThreshold value (20 days), then a new certificate is generated and configured as the secondary certificate.
Noted by event ID 385 in the event logs: It will remain as the secondary certificate until the CertificatePromotionThreshold value is observed (5 days). So, 5 days after creation of the certificate, it will be promoted and the existing primary will be configured as the secondary until the next CertificateGenerationThreshold window is observed.

Once the Promotion event has occurred, the Token Service will sign/encrypt all issued tokens with the new primary certificate.

This does not cause a service outage of AD FS 2.0, but an application issue when the token is received and signed with something other than the expected certificate. This is true for O365 or any other application.

With AutoCertificateRollover enabled, AD FS 2.0 will continue to function as expected.

Validate your ADFS configuration:

To validate your configuration, connect to your primary ADFS Server and follow these PowerShell instructions:

Open the Windows PowerShell
Add-PSSnapin Microsoft.ADFS.PowerShell
Get-ADFSProperties

CertificateCriticalThreshold: 2 - Days prior to expiry of the certificate before a new certificate is generated and promoted if AutoCertificateRollover has not performed naturally.

CertificateDuration: 365 - Validity period of the auto-generated Certificate.

CertificateGenerationThreshold: 20 - Days before expiration of current primary a new certificate will be generated.

CertficatePromotionThreshold: 5 - Days the newly generated certificate will exist before being promoted from secondary to primary.

CertificateRolloverInterval: 720 - Interval in minutes at which we check to see if a new certificate needs to be generated.

CertificateThresholdMulitplier: 1440 - Number of minutes used in calculation of other threshold counters (default value is 1440 minutes or 24 hrs. X 60 minutes, which makes threshold values equal to full days).

To have single sign on with ADFS the federation certificates need to be updated with the online platform. O365 is now automatically pulling the certificates from the AD FS server via the public metadata endpoint on a regular basis.

You may need to manually update the federation metadata using the PowerShell in complement to the Microsoft pull mechanism, as this will not pull the certificates on all scenarios.

To setup this to run automatically on your infrastructure implement the following script:
https://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc.