If you are able to verify both of these settings successfully, you do not have to do anything else.Įxample: Renew the token signing certificate manually where (your_FS_name) is replaced with the federation service host name your organization uses, such as fs. Check that your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet (off of the corporate network):
The AD FS federation metadata is publicly accessible. This indicates that AD FS will automatically generate new token signing and token decryption certificates, before the old ones expire.Ģ. The AD FS property AutoCertificateRollover must be set to True. You are using the AD FS default configuration (AutoCertificateRollover is enabled).Ĭheck the following to confirm that the certificate can be automatically updated.ġ.You have deployed Web Application Proxy, which can enable access to the federation metadata from the extranet.You don't need to perform any manual steps if both of the following are true: Does not matter Renew the token signing certificate automatically (recommended) See Renew token signing certificate manually. See Renew token signing certificate automatically. AutoCertificateRolloverįederation metadata is publicly accessible In the output of either Get-MsolFederationProperty or Get-AdfsCertificate, check for the date under "Not After." If the date is less than 35 days away, you should take action. Step 3: Check if your certificate is about to expire If the thumbprints in both the outputs match, your certificates are in sync with Azure AD.
Get-MsolFederationProperty -DomainName | FL Source, TokenSigningCertificate Import-Module MSOnlineĬheck the certificates configured in AD FS and Azure AD trust properties for the specified domain. Install-Module MSOnlineĬonnect to Azure AD using the MSOnline PowerShell-Module. You can download the MSOnline PowerShell Module directly from the PowerShell Gallery. MSOL-Cmdlets are part of the MSOnline PowerShell module.
0 kommentar(er)
