ADFS Auto Certificate Rollover and Impact on SharePoint 2010 Claims Web Application


ADFS has a feature called Auto Certificate Roll Over which generate a new certificate when the current one nears expiration, when this happens with the Token Signing Certificate all your SharePoint 2010 Claims web applications will start failing with a “root of certificate chain not a trusted root authority” error

If you look through the event logs on ADFS server you will see following entry

MSIS10004: Certificate rollover service has set certificate with thumbprint ’52FBF8F2B01E0CED0473858CA526BB48446EB9E3′ as primary ‘Encryption’ certificate.

You can disable auto certificate roll over by running following PS

Add-PSSnapin Microsoft.ADFS.PowerShell

Set-ADFSProperties –AutoCertificateRollOver $false

Fix for this is you need to export the new primary token signing certificate from ADFS and add to security trusts

Sample PowerShell

$cert = Get-PfxCertificate($CertFile)

New-SPTrustedRootAuthority -Certificate $cert –Name “ADFS Token Signing”

<update> forgot to add this step, you also need to re-create your TrustedIdentityTokenIssuer</update>


Technorati Tags: ,



Published: 2/8/2012 9:56 AM

Comments (0)