Tuesday, March 1, 2016

CertificateDuration of ADFS Token Certificates

At the end of a past blog post on my page (http://blog.gagepennisi.com/2016/01/understanding-adfs-token-signing-and.html), I touched on the subject of extending the certificate validity period from the default of one year. Recall that when these certificates expire or rollover automatically, CRM becomes inaccessible so reducing the frequency of how soon these expire will reduce the downtime associated. Let’s dig in:
  1. Open an administrative PowerShell prompt on the ADFS server
  2. If using Server 2008 R2 (ADFS 2.0), add the ADFS Snap-in:
              Add-PSSnapin Microsoft.ADFS.PowerShell
  3. Set the CertificateDuration property (Note: ‘1095’ below is an example and represents the number of days desired. 1,095 days = 3 years):
              Set-AdfsProperties -CertificateDuration 1095
  4. Create new token certificates with the new duration:
              Update-AdfsCertificate –Urgent
  5. Update the ADFS metadata stored in the CRM databases by running through the Claims-based Authentication and IFD Wizards in the CRM Deployment Manager.
  6. Issue an IISRESET on CRM Server(s).
CRM and ADFS should both now be working with your extended-duration token certificates!

Note: If you have just installed ADFS, and not yet set CRM up for Claims-based Authentication/IFD, you do not need to perform steps 5 and 6.

No comments:

Post a Comment