If you have set up ADFS (active directory federation services) to authenticate the users of your domain in Office365 you know that to maintain communication between your adfs service and Office365 you need a certificate that is trusted from both servers / services / sides. Obviously you can use certificates generated from a public CA, that are even more comfortable since they are already trusted by both sides, but you can also use self-signed certificates; the problem is that the certificates have an expiration date after which they are no longer valid, and then you are likely to interrupt the communication between the two sites.
Premise: any operation which I'll discuss in this article should be executed on the main ADFS server.
What to do when the used certificate is about to expire? Rinnovarlo prima che scada ovviamente 🙂 e dato che ci si potrebbe dimenticare (office 365 anyway warns you) the most comfortable thing you enable auto renewal.
First check if the auto certified rollover is enabled, give these two commands from powershell:
PS C:Windowssystem32> Add-PSSnapin microsoft.adfs.powershell
PS C:Windowssystem32> Get-ADFSProperties
The command should give you back data similar to these:
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
The first entry tells you if your auto rollover is enabled or not, if it is not you can enable it:
Set-ADFSProperties -AutoCertificateRollover $true
The other items specify other interesting parameters:
CertificateGenerationThreshold: specifies how many days before the expiry of the certificate your adfs server generates a new certificate
CertificatePromotionThreshold: how many days before the expiry of the certificate the certificate promotion from secondary to primary is made (yes because when the auto rollover generates a new certificate actually it does not replace the main one but creates a secondary one that is complementary to the main one in such a way that, before the expiry of the main certificate the new certificate will be recognized in time by Office365 and then being promoted to the primary)
CertificateRolloverInterval: specifies how many minutes adfs service checks to see if it needs to generate new certificates
CertificateCriticalThreshold: indicates how many days before the expiration adfs forces the generation of a new certificate even if there will be no time to replicate it to the Office365 services (extreme case)
Here you will find the official page with all parameters and properties of adfs: http://social.technet.microsoft.com/wiki/contents/articles/16156.ad-fs-2-0-understanding-autocertificaterollover-threshold-properties.aspx
Another very useful command is the update if you want to force the creation of a new certificate:
Update-ADFSCertificate
to which you can add the parameter -Urgent but very carefully because it set directly the new certificate as the primary, and if the information / metadata / certificates are not instantly communicated to Office365 you will lose authentication, go on reading…
Well for now we have seen how to change the parameters and how to generate new certificates in adfs…. but if we change the primary certificate and do not communicate it to Office365 the new certificate will not be considered valid and therefore the authentication will stop working (in other words the users will no longer be authenticated). How to transfer then the meta data to Office365 maybe automatically? Fortunately Microsoft gives us a hand with this script:
https://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc
it'is a powershell script, you have to download and run it, you will need to have an administrator user of the on premises domain and an administrator user of Office365, I list all the prerequisites, nothing particularly complex but make sure you have them all:
To execute this tool successfully:
- You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell
- You need to have a functioning AD FS 2.0 Federation Service
- You need to have access to Global Administrator credentials for your Office 365 tenant
- You need to have at least one verified domain in the Office 365 tenant must be of type ‘Federated’
- This tool must be executed on a writable Federation Server
- The currently logged on user must be a member of the local Administrators group
- The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx
Ok if you are okay with the prerequisites we can run the script that will ask for the two credentials (on premises and office365) and after the execution it will generate a script in C: Office365-Scripts and it will automatically create one scheduled task that will run the script every day. This script will transfer to Office365 all changes to metadata which also include changes to the certificates; in this way we are sure that every day there will be a synchronization between what we have on the adfs server and what we have on Office365. In this way we have closed the circle for what it concerns the management of AutoCertificateRollover.
For clarity I summarize how it should work all the way around with the auto rollover configured:
1) When you arrive at the deadline defined by parameter CertificateGenerationThreshold a new certificate is generated that will be set as the secondary
2) Automatically this new certificate will be communicated / transferred to Office365 thanks to the scheduled task that runs the script in C: Office365-Scripts every day and by that time it will be accepted as valid by Office365
3) At the deadline defined by parameter CertificatePromotionThreshold the secondary certificate will become primary and will actually be used for communication and authentication between adfs and Office365 and will be valid from office365 because “it already know it”