Renew expired ADFS Token Certificates for ADFS 2.0 and SharePoint 2013 On-Premises

Over the last weekend, I was in the process of restoring my SharePoint 2013 farm VMs on Windows Server 2008 R2 built over the last year. My goal was to restore and start adding additional pieces in the complex SharePoint 2013 farm including office web apps and provider hosted apps environment. To my shocking surprise, both ADFS and SharePoint seem dead as I was trying to test the pulse of the baseline restored working environment.

During the testing of ADFS sign in page – https://adfs.niks.local/adfs/ls/IdpInitiatedSignon.aspx, I came across ADFS generic error message and upon further investigating on the event logs, it didn’t take me long to see both ADFS token-decrypting and token-signing certificates were expired. As you can see from following screens, ADFS certs were expired on July 2014 while restoring these VMs in December 2014.

Solution was straightforward. Renew the ADFS token-decrypting and token-signing certificates and update ADFS token-signing certificates in the SharePoint. As it happens with most of the things in SharePoint world, there is no end-to-end real world guide and I had to look up various different articles to come up with the correct process.

This whole research and restoration process took me more than few hours (including documentation) and there is no reason to waste that research and use as future reference if I ever need it again. That’s the true inspiration for this blog article.

Renew ADFS 2.0 Token-decrypting and Token-signing certificates
Usually these certs gets renewed automatically every year in production 24×7 environment if automatic certificate rollover is enabled (default ADFS setting to renew every 365 days) but since VMs were shut down, there was no way ADFS would renew those certs upon restoration process.

To renew both token certificates, you would require to load ADFS 2.0 PowerShell module on Windows Server 2008 R2 and run Update-ADFSCertificate command with urgent switch to force certificate renewals. Please note that Urgent switch will rollover certs immediately and removes older certificates right away. If your certs aren’t expired, it may result into temporary service outage.

You can login to the one of the ADFS server as an administrator and run Windows PowerShell commands as an administrator.

Add-PSSnapin Microsoft.Adfs.PowerShell
Update-ADFSCertificate -Urgent

Alternatively you can run following command to specify specific certificate type. e.g. to renew only ADFS-signing certificate, you would run following command. Valid certificate types are “Token-Encryption” or “Token-Signing”.

Update-ADFSCertificate -CertificateType Token-Signing -Urgent

After running ADFS commands, it should refresh the certs for another year. As you can see from following screen, ADFS certs are renewed for another year until 12/21/2015. Alternatively you can change CertificateDuration by running Set-ADFSProperties to set the long duration. For the security best practices (even in development environment), it is nice to follow standard ADFS 1-year certificate renewal best practices.

If you are trying to access ADFS IDP sign in page, you may result into same error. This step would require restarting the ADFS windows service and you should have working ADFS environment.

Restore ADFS 2.0 and SharePoint 2013 On-Premises Federation

Since ADFS token-signing certificate was expired, if you are trying to access SharePoint, it may result into ID4220 – SAML assertion error due to invalid certificate stored in the SharePoint cert store.

7-2

You would require to export the ADFS token-signing certificate from the ADFS server. It is important to note that newly generated ADFS certificates may not be trusted. You must trust these certificates in the trusted root certificate authorities store on the ADFS server prior to exporting them for SharePoint import.

Once ADFS certificate is trusted, you can export the cert and copy it over to the one of the SharePoint server (preferably server running on central administration) where you can run SharePoint PowerShell commands.

It is important to note that once you copy over ADFS token-signing certificate, it may not be locally trusted on the SharePoint server. You must make sure this cert is added to the local trusted root certificate authorities store on the SharePoint server where you are planning to import into SharePoint store. If you import invalid certificate, you may get error “The root of the certificate chain is not a trusted root authority”.

10-5

Next step is to run the SharePoint PowerShell command as an administrator on one of the SharePoint servers in the farm where ADFS token-signing certificate is trusted. Please note that you need to run these commands only once in one of the servers in the farm. No need to run on each and every SharePoint server in the farm.

$cert= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Host\ADFS Signing v1.cer“)
$sts = Get-SPTrustedIdentityTokenIssuer
$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert

You can run the Get-SPTrustedIdentityTokenIssuer to verify that certificate thumbprint and expiration date matches the renewed ADFS federation trust. Additionally, please verify if new ADFS token-signing certificate is uploaded on the SharePoint trust store from the central administration screen. If it isn’t, you can manually upload the certificate. If trust page doesn’t show valid certificate, SharePoint will throw similar error – “The root of the certificate chain is not a trusted root authority”

10-3