[English] ADFS Token-Signing and Token-Decrypt Certificates Expiration Process and Dates

[English] - Content Developed by the EMEA Cloud Identity Support Team.

By default, Token-Signing and Token-Decrypting Certificates will expire one year after your ADFS was setup. Near to the expiration period you will get the following notification on your Portal Admin Page.
This notification do not apply to SSL Certificate, also known as Service Communications Certificate.




The number of days represents the day where the service will stop. Due to certificate change.

How to calculate the effective day:

The new Certificate will be generated 20 days before the certificate expirations date:
1) Go to Powershell
2) Connect-MsolService
3) Get-MsolFederationProperty
4) Check [CertificateGenerationThreshold: 20]

The new certificate will be promoted to Primary after 5 days:
1) Go to Powershell
2) Connect-MsolService
3) Get-MsolFederationProperty
4) Check [CertificatePromotionThreshold: 5]

Knowing that AD FS Service only uses the primary certificate, as we will switch the certificates 15 days before the current primary certificates expires the service will stop 15 days before the current certificate expiration.

This is not true if the Relying party has been updated on the 5 days that exist between the new certificate creation and the promotion.

Certificate expires on 30-01-2014.
New certificate will be created on 10-01-1014 and will be marked as Secondary [20 days before expiration].
On the 15-01-2014 the Secondary Certificate is promoted to Primary [5 days after new certificate generation].
If we see the message on the portal on the day 05-01-2014 this should be informing that the service will stop in 10 days, if federation metadata information is not updated.

ADFS default configuration:

Default configuration on AD FS regarding Token Signing and Token Decrypting certificates includes an auto-renewal process, [AutoCertificateRollover].

If you did not change this value from “True” to “False”, no renewal operation regarding token certificates is needed, this will happen automatically based on triggers explained below.

Default values of ADFS - [see details below for default values]:

The Rollover interval is checked by the AD FS service every 720 minutes (12 hours).
If the existing primary certificate (Token Signing or Token Decryption) expiration time is within the window of the CertificateGenerationThreshold value (20 days), then a new certificate is generated and configured as the secondary certificate.
Noted by event ID 385 in the event logs: It will remain as the secondary certificate until the CertificatePromotionThreshold value is observed (5 days). So, 5 days after creation of the certificate, it will be promoted and the existing primary will be configured as the secondary until the next CertificateGenerationThreshold window is observed.

Once the Promotion event has occurred, the Token Service will sign/encrypt all issued tokens with the new primary certificate.

This does not cause a service outage of AD FS 2.0, but an application issue when the token is received and signed with something other than the expected certificate. This is true for O365 or any other application.

With AutoCertificateRollover enabled, AD FS 2.0 will continue to function as expected.

Validate your ADFS configuration:

To validate your configuration, connect to your primary ADFS Server and follow these PowerShell instructions:

Open the Windows PowerShell
Add-PSSnapin Microsoft.ADFS.PowerShell

CertificateCriticalThreshold: 2 - Days prior to expiry of the certificate before a new certificate is generated and promoted if AutoCertificateRollover has not performed naturally.

CertificateDuration: 365 - Validity period of the auto-generated Certificate.

CertificateGenerationThreshold: 20 - Days before expiration of current primary a new certificate will be generated.

CertficatePromotionThreshold: 5 - Days the newly generated certificate will exist before being promoted from secondary to primary.

CertificateRolloverInterval: 720 - Interval in minutes at which we check to see if a new certificate needs to be generated.

CertificateThresholdMulitplier: 1440 - Number of minutes used in calculation of other threshold counters (default value is 1440 minutes or 24 hrs. X 60 minutes, which makes threshold values equal to full days).

To have single sign on with ADFS the federation certificates need to be updated with the online platform. O365 is now automatically pulling the certificates from the AD FS server via the public metadata endpoint on a regular basis.

You may need to manually update the federation metadata using the PowerShell in complement to the Microsoft pull mechanism, as this will not pull the certificates on all scenarios.

To setup this to run automatically on your infrastructure implement the following script:

Comments (7)

  1. Anonymous says:

    Thanks for sharing, all clear now.

  2. Safvan says:

    How to export the certificate from ADFS 2.0 console

  3. Jörgen Hjärtenflo LanGate says:

    Was really eager to see the automation and rollover done by the Script from this post! Works Great!
    Just now or 8 seconds in to this new day, after the script was run, the Secondary (New one) was promoted to be Primary, could see event 336 (Initiated) and 337 (Promoted), for the certificate.
    //Jörgen Hjärtenflo

  4. anonymous says:

    The second to last paragraph indicates that sometimes manual update is required “as this will not pull certificates on all scenarios”. What are the scenarios where this manual intervention is required?

    1. Azure AD attempts to monitor the federation metadata, and update the token signing certificates as indicated by this metadata. 30 days before the expiration of the token signing certificates, Azure AD checks if new certificates are available by polling the federation metadata.
      If it can successfully poll the federation metadata and retrieve the new certificates, no email notification or warning in the Office 365 portal is issued to the user.
      If it cannot retrieve the new token signing certificates, either because the federation metadata is not reachable or automatic certificate rollover is not enabled, Azure AD issues an email notification and a warning in the Office 365 portal.

  5. Caio Bauab says:

    Token certificates do not reside at any know computer certificate storage, so, not logging at eventvwr when next to expire. We opt to disable auto-renew because there is additional steps with partners with need to be synchronized. There is a way to monitor this expiration?

Skip to main content