Token Signing certificate expiring – ADFS

What happens when your Token Signing Certificate is about to Expire and how you can recover from the situation.

The infrastructure is similar to the following,

Successful Authentication flow,

Application Authentication page -> Redirects to ADFS Sign page – > Users enters the username and password -> Credentials is validated by ADFS server with the Identity provider -> Issues a SAML token back to the User on Successful verification -> User is then redirected back to the application page with a successful sign in.

SAML failure

The flow works until the SAML is being issued to the web page but Application will fail to validate it with an error message SAML_RESPONSE_INVALID

Token signing certificate

Some application responded may respond with the error
SAML_RESPONSE_INVALID or some of them just ask the user for the credentials.

At this point we can confirm that SAML issued is invalid or wrong.

You might find on the internal ADFS servers Two certificates (Primary and secondary)

If your ADFS properties shows, (Get-ADFSProperties), the following

What happens is, The Token Signing certificate is set to auto-enroll exactly before 20 days of the existing certificate expiry date. After the generation of the new certificate, it automatically bring the new certificate as primary on the 5th Day.

As per the screenshot,

The certificate set to expire on 10/2/2019. 10/2/2019 – 20 days is 20/1/2019 as per AutoCertificateRollOver ADFS property. On 20th certificate got renewed as per CertificateGenerationThreshold Property. 20/1/2019 + 5 Days, the certificate switch happened as per CertificatePromotionThreshold.

Solution:

  1. Set the autoenrollment to false by running the cmdlet, Set-ADFSProperties -AutoCertificateRollover $False
  2. From ADFS Console, choose the old certificate as primary by “Set as primary” (“Set as Primary” option is disabled until first step is completed)
  3. This is just a temporary solution to keep the production running. Inform your application vendor to update the metadata. You can extract the metadata from, https://<adfs name>/FederationMetadata/2007-06/FederationMetadata.xml (This will contain the information about the newly enrolled certificate)
  4. Once the application vendor confirms that they have updated, follow step 1 and 2 to switch the primary and secondary certificate

Monitoring ADFS through AAD Connect Health Agent

The AAD Connect comes with a Health Agent which monitors the AAD Connect and logs in to Azure AD.

The events can be viewed from portal.office.com and Choose Azure Active Directory. Under Manage -> Choose Azure AD Connect.

On the right pane, under Health and Analytics -> Click Azure Active Directory Connect HealthScreen Shot 2018-08-17 at 13.24.27

Now that we know how AAD Connect is being monitored by AAD Connect Health Agent, the same agent can also be used to monitor ADFS server and ADFS-Proxy server as well.

To do so,

  1. Download the AAD Connect Health Agent from https://www.microsoft.com/en-us/download/details.aspx?id=48261
  2. Run the setup, make sure you are installing ADFS agent.Screen Shot 2018-08-17 at 12.56.02
  3. It will prompt you to “Configure now”.  Click on it.
  4. You will see the followingCapture

Make sure you have enabled auditing on ADFS server to capture those events on Azure portal.

To do so,

  1. Open windows powershell on ADFS server,
  2. Run the following command

auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

3. Open AD FS management console, Click on “Edit Federation Service Properties”, Under Event tab, check all the events.

adfs console

Once you’ve done that, you can see events will start showing up on Azure Active Directory Connect Health

Of course you can monitor lot of events.  To know more,

https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adfs

VJ