If Auto-certificate roll over is enabled, AD FS will manage updating the Token Signing Certificate.
If you manage your certificate manually, please follow the below instructions.
- Obtain a new Token Signing Certificate.
- Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature".
- Subject or Subject Alternative Name (SAN) does not have any restrictions.
- Please remember that your Federation Servers, your Resource Partner Federation Servers and Relying Party Application servers need to be able to chain to a trusted root certificate authority when validating your Token-Signing certificate.
- Install the certificate in the local certificate store on each Federation Server.
- Ensure that the certificate installation file has the Private Key of the certificate on each server.
- Ensure that the Federation Service Account has access to the new certificate's private key.
- Add the new certificate to AD FS.
- Launch AD FS Management from the Administrative Tools menu.
- Expand Service and select Certificates
- In the Actions pane, click Add Token-Signing Certificate...
- You will be presented with a list of certificates that are valid for Token-Signing. If you find that your new certificate is not being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key associated and the certificate has the Digital Signature KU.
- Select your new Token-Signing certificate and click OK
- Inform all the Relying Parties about the change in Token Signing Certificate.
- Relying Parties that consume AD FS federation metadata, must pull the new Federation Metadata to start using the new certificate.
- Relying Parties that do NOT consume AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with the Relying Parties.
- Set the new Token-Signing Certificate as Primary.
- With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Signing: existing and the new certificate.
- Select your new Token-Signing certificate, right-click, and select Set as primary
- Leave the old certificate as secondary for roll over purposes. You should plan to remove the old certificate once you are confident it is no longer needed for roll over, or when the certificate has expired. Please remember that current users' SSO sessions are signed. Current AD FS Proxy Trust relationships utilize tokens that are signed and encrypted using the old certificate.
If a selected capture network adapter is no longer required remove it from the list of capture network adapters on Gateway ...
If a validation is specified here, this validation will take precedence over the validation of the bound attribute when displayed ...
If a VAT ID is not provided, your local country VAT rate will be applied. We recommend providing your organization's VATID ...
If AD FS Audits are not enabled follow these instructions: Grant the ADFS service account the "Generate security audits" ...
If Auto-certificate roll over is enabled, AD FS will manage updating the Token Signing Certificate. If you manage your certificate ...
If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate. If you manage your certificate ...
If both DFSR and NTFRS services are stopped, Domain Controllers will not be able to replicate SYSVOL data. SYSVOL Data will ...
If KDC Service is stopped, users will not be able to authentication through this DC using the Kerberos v5 authentication ...
If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service ...