Azure series configuration management AD FS (PART1)
Azure series configuration management AD FS (PART2)
If you decide to let the existing certificate reaches a critical threshold, instead of calling the certificate generation process, you only need to re-enable AutoCertificateRollover.
If you decide to create a new self-signed certificate immediately, you need to re-enable AutoCertificateRollover, then issue the PowerShell command to invoke generate the certificate immediately.
Use PowerShell command to re-enable
AutoCertificateRollover:
the Add-PSSnapin Microsoft.Adfs.Powershell
the Set-ADFSProperties -AutoCertificateRollover $ truePowerShell command immediately generate a new self-signed certificate:
the Add-PSSnapin Microsoft.Adfs.Powershell
Update-AdfsCertificate
Causing an update to decrypt tokens or token-signing certificate AD FS service interruption, because the relay party must update its configuration to get the new certificate: attention. When a user affected by disruptions at a minimum, do this work.
Prior to renew the token-signing certificate and decrypts the token, I recommend that you extend the self-signed certificate AD FS certificate lifetime.
Log on to the primary AD FS server and open an elevated PowerShell prompt. Run the following command to configure AD FS server to generate sustained 10 years of self-signed token signing and token decryption certificate, a certificate and enable automatic rollback:
Set-ADFSProperties CertificateDuration 3650 -AutoCertificateRollover $ true
These cmdlet will generate a new self-signed token signing and decrypting the token certificates that will be upgraded immediately, and then disable automatic rollback certificate again. The relay partners will need to update its metadata declare to accept the new signing:
Update-AdfsCertificate -CertificateType
Update-AdfsCertificate -CertificateType
Set-ADFSProperties -AutoCertificateRollover $ false
Use Windows Azure PowerShell Office 365 updates the metadata:
Connect-MsolService
Update-MsolFederatedDomain -DomainName domain.com -SupportMultipleDomain
Connect-MsolService
Update-MsolFederatedDomain -DomainName domain.com -SupportMultipleDomain
![clip_image002[22]_thumb[1]](https://s1.51cto.com/images/blog/202003/03/84c1a7eadb364c5a701293ef5fd0297b.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk= "clip_image002[22]_thumb[1]")
If you use another relay party metadata, you need to update it. For example, Microsoft must open a support ticket in the Office 365 portal to manually update the Yammer local (not Office 365). You will need to provide a token and token signing certificates to decrypt them (minus the private key).
Description of the WAP server
If your organization uses Windows application proxy (WAP) server to deploy AD FS, you do not need anything else related to decrypt the token and token signing certificate. WAP server communication service using only SSL certificate.
Azure series configuration management AD FS (PART1)
Azure series configuration management AD FS (PART2)