ADFS certificate auto renewal

  • 58 Views
  • Last Post 3 weeks ago
kbeahm posted this 3 weeks ago

P.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } LI.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } DIV.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } TABLE.ImprintUniqueIDTable { MARGIN: 0cm 0cm 0pt } DIV.Section1 { page: Section1 } P.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } LI.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } DIV.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } TABLE.ImprintUniqueIDTable { MARGIN: 0cm 0cm 0pt } DIV.Section1 { page: Section1 }

If my Microsoft AFDS server (server 2012 R2) has the configuration below, will I be able to export the new renewed certificate before it is promoted to Primary and send it to our SSO SAML partners to load on their servers?  To further clarify if the Token-signing and Token-decrypting self-signed certificates expire 6/28/19, should I expect to see a renewed certificate in the certificate store on this ADFS server sometime 6/20/19, and would it be appropriate to distribute this to our SSO SAML partners at that time to load into their configurations with the expectation that production SSO would continue to function?

  AutoCertificateRollover                    : True CertificateCriticalThreshold               : 2 CertificateDuration                        : 365 CertificateGenerationThreshold             : 20 CertificatePromotionThreshold              : 5   Thank you in advance for your time and consideration.  Any suggestions or advice would be greatly appreciated.

 

Keith D. Beahm | Messaging and Storage Architect | Stinson Leonard Street LLP
1201 Walnut Street, Suite 2900 | Kansas City, MO 64106-2150
T: 816.691.3374 | M: 816.808.8983 | F: 816.412.1022
kbeahm@xxxxxxxxxxxxxxxx | www.stinson.com

This communication (including any attachments) is from a law firm and may contain confidential and/or privileged information.  If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others.

Order By: Standard | Newest | Votes
ZJORZ posted this 3 weeks ago

html {

background-color: transparent;

}



body {

color: #333;

line-height: 150%;

font-family: "-apple-system", "HelveticaNeue";

margin: 0;

}



.ms-outlook-ios-reference-expand {

display: block;

color: #999;

padding: 20px 0px;

text-decoration: none;

}



.ms-outlook-ios-availability-container {

max-width: 500px;

margin: auto;

padding: 12px 15px 15px 15px;

border: 1px solid #C7E0F4;

border-radius: 4px;

}



.ms-outlook-ios-availability-container > .ms-outlook-ios-availability-delete-button {

width: 25px;

height: 25px;

right: -12px;

top: -12px;

background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEsAAABLCAYAAAA4TnrqAAAAAXNSR0IArs4c6QAACxpJREFUeAHlnFuMXlUVx/fcOzNtp0ynF0U7hWKrEmKLosZEjUZ9MgZIQBNC0uAtJr745oOJIT74xgskJkQbAlQNJmBMfNDEG0YjEC7GIBQZ6IAI005L79O5+/+dfut0f5dzzt7nu8w37UrWt893zt5rr/U/e6+zL+ucHrcGtLq62q9qd4gnxTeKb6kcc267eEI8Kz4mnhFPi58Rv1g5nunp6VnS8ZVHAqdHPCk+KP6zuBWEHORNinvWNWoYIN4q/o74mLidhHzqob71AxzKij8g/p14LYh6qb97QUM58T7x38TdQOiBPt0FmhQaEf9M3I2EXiNr7tOkBK3pVvGCuJsJ/dCzqVbWWxZxVTygso+InxBz3M2Efuj5SEXvUrqWQloV7lRtT4vfX6rWtS30pqr/uMZp78SqEQ2WgPqQKvmnuKWtaWnFuaWVVbciXl51rk+a9fb2uP6EY80qzL+oHB8RYC8V5vQyRIEloD6tsk965UsdAsyZ+WV35uKyOz+/4uZ0YgmEMqhfyA3397rRoV63eUOf2zzUJxAzMsed/owA+2tokWCwmgVKDcadvLDsZs8vutMXV5zkhepYl08GurENvW5idMCNj/Q5Nb5mKBiwoGoqXe/fZTQCkmNnl9x/Ty+4xZzW0yeLB9WC6Hp0QbLSJRd0sAzSGTSgzO8bG3TbN/W7IGMay/lwSJcslC+gcOZviKN9FC3pjVML7uKi+l0NDakf0Sq2DPe5kYFeh9FZBMgXJOPU3HLSOufpxzW0QTJ2bRlMZNZcCvmLD9slwHKdfraGKi2gAGhKHPXUm1tcdVMn5t05+SWfMGjbaL+7RiABUFkCuHd1I46fX6q7ERvlz/ZsHXLDA7mmNaqap+QeAQZwDSlTooDiGuOouxqWzDjJ3X91dj55slkWWs216io7musqJi5N6Zwz6uJv1XRxnqA3TAwlrTbNHHZwWNnuFmAN+30eWLeqIAO5YHr7zKK63WLqvPFDOzcNuPeODSR+KFhQZEb82/9OL7p3zi6m/k0Gq1sOuPdsjvYet6nsrxup0BAstSrmUqfEQTVxG147seCOn7vcguly+7ZtKNMdGukZdI7uf+T4xaquuW3jgLt+62CM88eILQLsQm2ldY6j0v3uV8YgoBBYC9SYxkI37RzuKFDogZ+iXuo34gaiXwRh9/0VHKqK1bUsZdqnHC9X5cr5Q9ebfveyMnS73eODOSU6c+noyYWkW1ptk9cMxnbJD6p1HbHypFUtq4LmIT9D3jHOHB9l1C1AoQ83DH2M0BN9I+hQbeuqAkuCbhB/KkQg/oGnngQm2Wn63dCifN3Rx7okeqIvegcSOIBHSilYFRQfSK8UHDCOYuIL4cz3ypl3I6EX+kHoi94R9IDfulKwJGBc/KUQQYzMbcDJ8ICnXp8vKURIh/Kg1yX9Lrln9Eb/QAIPcEnIN/FOO5mX0paYwhjhF0qMlq14R1L0q/ZfCy64MzqX4pKAVWlq94ZozqTY5nqMzBlwrgdCT5t/oj92BNK91hWtZe1SwW1FhXFRrB4YMYXJmf9atiRl7vvz52fd4/86GXNXq2TYH1oFch59blZ+yM7mp+iJvkbYkbOYYdlIwQV8HNvo0OcuJfm/9HVbZsFpMtcLpV++MOvuPvyfJPs9n9jufnrnnphRdVoNQH3jsSl36Cl29l0i466b2e0vJvRlSkTLwg7smRi9PIDNkQA+D1nL+nZOxvQSC3dGrB7oZgXTcOWJRAEMxeAIv5HUUwsUJ325SaacH/RFbyPfHjuXkR7kfK/6I03sk/zJI5o7K5xGLLPE0O03jTtalFEsYI2AQt5tkhtDvt7YE9iNPyuckpXsj4VUxnq5CiRZWbiLXY/irtL1ygCWBVSZroze6A9hD3YF0g5KMRcsJDYYjFjhLENlAGslUKazr79vl13PSCeDwWIXxoil4LIUA1g7gEJvX3/frgKbbgSsvQWZkstsVxnFdkErZ2kIYO0CCh18/X27TL+M9BbA2ppxMT0NTravx/TGBndphhIHeYCx8ukPDxDfzHCjVj30xw4Iu7x2UJvV/z/Jc3STf6bRsU2YucZ2VavIAEOejZtIn5w6qxWCubSaVgJlQrFjrjIqxT7W7QsocfCFYPn7dnZHCgQHXzbA/Kdku4FCOd8O374cxXfSDYdzMiSX/GlB8Q0oklZ/HcAevGOPdmSqVeE/5wvveb3IwjO+Hb59OQXHAatuYb62QAnBtSJy/+PMv/WrqaquRwFaGOe53mrCLxoFepZZwDpnhbLSEk02S1TdeXSudeZ+C4sd6ddVkHGC0AAjQgYC6BhgnS3K6Ds/Yg9aRY2Awne9/P39pUb6MXr5dvj25ciYAawTORmSS8wOCPuBcIa28pCcKPmTBRRTGKoqOzUKUQf9zaljV2X2U1R0GrBeKcrFdeKjjIg1aIbygLIOQdouwHz9fbsKbHoGBKr2xrIKEEhmFLmlZMWSNAQoK9AuwHz9fbus3oz0xWCwiLYziljwtyJJGgOUFWwHYL7+RBIGUtINnw3JjFCCLSDio/ymHFK+DFAmt5WAobfFd2GP3wisvox0plcFpnXxtYwM6WlcFqGJRsRHxdATWjO3KQ3lYqcwWYAhN4Z8vbHHc8V5Yv4inJbM+j/l5bRrxHAaEUhGawmlOe+hEAuU1dEIMF+u5ctK0Re9jXx77FxG+hDnqZ8Vw68p+QXHecQ47vm3LqRDh93jQ9qPu7ymnVeWmT2bFqyZs8ScVJxXIOcaRtOiAOqr+ydCW4c2K5bc0ZOXdqRZeThw7Uho8O5ueqCBtVH1E085mqNjcolIu9e9CverwsoQrKjoml5nLP2Cd6Ov040O3J06LsV3CKzVpBvqgClPUJQfUcEWO8Dgjoi79UDoaYNp9MeOQPohQJHXfBbHD/NTRDRFooKN2IeLiEyxYh1N0e9t6WmE/hFu4DEr54P1B50MGs2z4E9UMMS0gdDE5eYG9YmsdvygF/rZxBm9/Q2Lgjp/r+vp4zYFS00Nc39cUDi9TPi0TUDZ4X1FCnUjoZfFZqAvekfQd60LUiYFqyLgUaXTlePchMgUwqclLMl3WvtvhCZ2E6EPekHoib4RET9/V7FXk8KVnyqwJJBByI/8DHnHbCkRPm2E/+oWwGpjStHT3wIznXPSe/xWRb4qsCoFDyl9qnJcmBBnTvi0EYC9NLN2PgwfRf3oYYR+kfHwYFDnvxs+FDRIPaDMfHQiaJbJc7U2vJvH85UWB98QLNnOqP4+Jd/jOJTW+g0Lhgf21MNHdeQNC8ARWAymcHIf5X8osVZ01b27AzgC7Holz4nH+B9KDAKvqrfCDBgB9hUdPy4O8l9WjpRFtqvmfUMzXIB9U8cP2v+YFOcf8yYr227sTLHCwexgXb3JasAIsB/oOHgMZuUsxXha2hX/jrQZ3CxgJoe1LSLuCCSLfvteczuWuANXOK3KrDT4ZXIEZA4dsqRXuuRPdD3ah2XJ5DwAEs1C16MV0hXpksznWgSMXz0j1vZ+18FqE2A4/YfFUU9JK7/G6Zuqv9QXQxpNdwpt0YDvN8p0szhoZ6hQYOcyHFZVvDSe+5Z9W9RRCxsU3ydeEnczteQrRy0BUSgdEP+jS9Hqju9n+UgLKL6l9XXx0S4BrTu/zFYDWr/AOig+skagdf83/3zAOBZQvOryRTEf+Donbid15GuS0eOsWlBC/gsl9iW/LP6C+PPi68TN0usS8EcxH6z4be2qZrPCG5XvCFi1FQu8SZ1j6YdXYeC9YuLxiZyGicQltpuoRPiEmJVLwqPgZwXOtNKO0v8BzRAPSFNM7HEAAAAASUVORK5CYII=");

background-size: 25px 25px;

background-position: center;

}



#ms-outlook-ios-main-container {

margin: 0 0 0 0;

margin-top: 120;

padding: 8;

}



#ms-outlook-ios-content-container {

padding: 0;

padding-top: 12;

padding-bottom: 20;

}



.ms-outlook-ios-mention {

color: #333;

background-color: #f1f1f1;

border-radius: 4px;

padding: 0 2px 0 2px;

pointer-events: none;

text-decoration: none;

}



.ms-outlook-ios-mention-external {

color: #ba8f0d;

background-color: #fdf7e7;

}



.ms-outlook-ios-mention-external-clear-design {

color: #ba8f0d;

background-color: #f1f1f1;

}







This is not accurate....
your RPs need to somehow receive your token signing cert only
Your CPs need to somehow receive your token signing cert and token encryption only
In both cases that either occurs automatically through publication of fresh metadata and its comsumption by any CP/RP using it OR when not automated you need to export your certs AND metadata. Please remember that some need the actual cert in some format (cer, pem) and some may need the metadata xml.The export of the cert/metadata should be done and send as soon as the new certs are available in adfs as secondaries. If receivers support multiple token signjng certs then those can update right away. If receivers do not support multiple token signjng certs then those should only update on agreed date. Receivers of token encryption cert can update right awayAdfs will always publish all token signing certs and will only publish the primary/active token envryption certWhen using auto cert rollover adfs will generate a new cert 20 days before current expires and 5 days later it will be promoted to primary. Before being promoted to primary your CPs/RPs should already have the new certsMy suggestion:• increase the lifetime of the certs from 365 days to at least 720 days or more• using self signed certs is fine but be very carefull with the auto magic of adfs. In this case I want to be in control of what happens when, not adfs.It works perfectly when all are using metadata update automatically but when at least one is not that auto magic might give you some headache
See my blog for additional info on this and the timings when using autocertrollover




Met Vriendelijke Groet / Cumprimentos / Kind Regards,Jorge de Almeida Pinto
MVP Enterprise Mobility and Security (EMS) | MCP/MCSE/MCITP/exMCT
MVP Profile: http://tiny.cc/JorgeMVPDSBlog : http://tiny.cc/JQFKblogFacebook : http://tiny.cc/JQFKfacebookTwitter: http://tiny.cc/JQFKtwitter
(+++Sent from my mobile device +++)(Apologies for any typos)

show

kbeahm posted this 3 weeks ago

P.ImprintUniqueID {

MARGIN: 0cm 0cm 0pt

}

LI.ImprintUniqueID {

MARGIN: 0cm 0cm 0pt

}

DIV.ImprintUniqueID {

MARGIN: 0cm 0cm 0pt

}

TABLE.ImprintUniqueIDTable {

MARGIN: 0cm 0cm 0pt

}

DIV.Section1 {

page: Section1

}















Thank you Mahesh for your reply.

 

show

Mahesh posted this 3 weeks ago

Normally yes, that's how you send replying parties token decrypting certificates in advance
However in my experience it never auto renewed unless I force it to do so with PowerShell with urgent switch though autocertrollover is set to true
Best Regards
Mahesh 


show

Close