Federation Services Certificate Renewal Alert in Office 365 Tenant Portal

Scenario: User logs into the Office 365 portal and receives an alert in the top menu bar that indicates the following:

2014-08-27_7-43-58

Cause:  One cause of this alert is due to the self-signed certificates on the on-premises ADFS server are going to expire in the X number of days stated in the alert (ie. 28 days).

 

Solution: This should not be considered a high priority issue as the portal is set to put out the alert starting with 28 days before the certificate expires.

Also, the ADFS server should be set to auto-rollover the self-signed certificates. When this is set, the certificates will be automatically renewed as set as the primary certificate when the CertificateGenerationThreshold setting is met (default = 20 days).

  • Check the expiration date of the current certificates by opening the ADFS management console, selecting Services, then Certificates. The Token certificates are the self-signed certificates that need to be checked for expiration.
  • If the certificates will expire within the next 28 days, either wait for them to auto-rollover, or follow these instructions to generate new certificates.
  • This is a 3-stage process to regenerate self-signed Token certificates for ADFS. It requires the use of PowerShell, the ADFS PowerShell module, the Azure PowerShell module, and the ADFS Management Console.
  • Check the current certificate status and properties –

o   Open the Azure Online PowerShell application on the ADFS server desktop

o   Load the ADFS module – import-module ADFS

o   At the prompt, type Get-ADFSProperties

o   Look for the lines that read:

  • AutoCertificateRollover :true or false – should be set to true
    • To change to true from false – type Set-ADFSProperties –AutoCertificateRollover $true
  • CertificateDuration :XXX (integer) – default = 365, but can be set to any time interval in days (ie. 1095 = 3 years)
    • To change the duration period – type Set-ADFSProperties –CertificateDuration 1095
  • Force the rollover and create new certificates based on the CertificateDuration value –

o   In the PowerShell window, type Update-ADFSCertificate

o   You should now see new certificates with the new expiration date in the ADFS Management Console

o   The new certificates will be set as Secondary certificates. You will need to change these to be Primary if you wish for the alert to go away sooner than the default 20 day CertificateRolloverInterval (also viewed from the Get-ADFSProperties PowerShell command)

  • NOTE – Forcing the certificate rollover will cause a brief outage of ADFS Authentication services as the certificate is replaced and the ADFS services are stopped and restarted.

o   If you right-click on the certificate, you may notice that the “Set as Primary” option is greyed out. The reason for that is because of the previously mentioned parameter setting of AutoCertificateRollover is set to $true. You must change it to $false and that option will be made available. In the PowerShell window, type Set-ADFSProperties –AutoCertitificateRollover $false.

o   Once you set the new certificates as Primary, revert your AutoRolloverCertificate back to $true – In the PowerShell window, type Set-ADFSProperties –AutoCertitificateRollover $true.

  • Finally, update the Federated domain’s certificates

o   In the PowerShell window, connect to your tenant by typing Connect-MsolService. You will be prompted to enter your Office 365 or Azure AD credentials.

o   Type Update-MsolFederatedDomain –domainname <your domain name here>. If you receive an error message stating that the domain requires the –SupportMultipleDomain parameter, re-enter the command as Update-MsolFederatedDomain –domainname <your domain name here> -SupportMultipleDomain. The domain should now have the new certificate installed.

o   To verify the new certificate, in the PowerShell window, type Get-FederatedDomainProperties and note the certificate expiry dates in the output.

You now should be able to login to your tenant portal and the alert should be gone.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.