Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-03-14) Gathering Architectural Details From Your ADFS Infrastructure – ADFS Certs

Posted by Jorge on 2014-03-14


If ADFS was installed in the past by someone else and there is little to no documentation, how do you know if you are you using ADFS Managed Self-Signed Certs Or CA Issued Certs for your Token Signing and Token Encryption certs? Keep reading to find out how to determine that!

ADFS Managed Self-Signed Certs Or CA Issued Certs For Your Token Signing and Token Encryption Certs?

To determine if ADFS Managed Self-Signed certificates are being used for the Token Signing cert and the Token Encryption cert, you can execute the "Get-ADFSProperties" CMDlet and check if the property "AutoCertificateRollOver" is set to True. When set to True ADFS Managed Self-Signed certificates are being used. When set to False ADFS Managed Self-Signed certificates are NOT being used and you are then using CA issued certificates. All yellow marked properties below are used if the property "AutoCertificateRollOver" is set to True. For more information see (2013-05-14) ADFS Managed Certificates Supporting Auto Certificate Rollover.

One important thing to remember is:

  • The value for CertificateSharingContainer is NOT populated when ADFS is in StandAlone mode
  • The value for CertificateSharingContainer is populated when ADFS most likely in Farm mode and when ADFS Managed Self-Signed certificates are actually being used OR have been used (after changing to CA issued certs)
  • If CA issued certs are being used, and you were using ADFS Managed Self-Signed certificates before that, you can safely delete the Certificate Sharing Container from AD (test first and be able to fully restore deleted objects as needed!)

image

Figure 1: Are ADFS Managed Self-Signed Certificates Being Used For The Token Signing Cert And The Token Encryption Cert Or Not?

With ADFS Managed Self-Signed Certificates the "Issued To" and the "Issued By" are always the same. The part before the dash (-) is always "ADFS Signing" and the part after the dash (-) is always "<the FQDN of the Federation Service>"

image

Figure 2: Are ADFS Managed Self-Signed Certificate For The Token Signing Cert

With ADFS Managed Self-Signed Certificates the "Issued To" and the "Issued By" are always the same. The part before the dash (-) is always "ADFS Encryption" and the part after the dash (-) is always "<the FQDN of the Federation Service>"

image

Figure 3: Are ADFS Managed Self-Signed Certificate For The Token Encryption Cert

Either the ADFS MMC or the PowerShell CMDlet "Get-ADFSCertificate" will tell you which certificates are in use by ADFS. Also see: (2013-05-13) Certificates Used In Active Directory Federation Services (ADFS) v2.x

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: