ADFS and Exchange 2013 Token Signing Certificate Rollover Process

Environment Verified On: Exchange 2013 CU9, ADFS 3.0, all running Windows Server 2012 R2

If you are currently running Exchange Server 2013 and ADFS, you will have to replace your token-signing certificate every year by default, unless you disable the auto certificate rollover feature of ADFS.  In older versions of Exchange (I am currently running Exchange 2013 CU9), you could only assign 1 Adfs Token-Signing Certificate Thumprint. This made it difficult for Exchange to trust the new certificate because you could only trust 1 at time. Now -AdfsSignCertificateThumprints parameter for the Set-OrganizationConfig is multi-valued.  Simply save both the “Primary” and “Secondary” token-signing thumbprints generated by the below command, and then apply them to your Exchange Organization Config.

#Run this powershell command on your primary ADFS server

Get-ADFSCertificate -CertificateType “Token-signing”

#Run this powershell command from one of your Exchange 2013 CAS servers, or machine with Exchange SnapIn functionality

Set-OrganizationConfig -AdfsSignCertificateThumbprints 133FC5293DFD48BC8E395D3EECBB0E9C9486EE14,EBB6F27D02F46CD0ED2F5C743672B93A845B4C01

 

  • Open the adfs management console
  • View the new primary token signing certificate.
  • Export this certificate to a file
  • Import this certificate file on each CAS server
    • Add this cert to the trusted root certificate authority store under the machine account
  • Use your load balancer to isolate each CAS server, and then reboot them 1 at a time

Now when ADFS rolls the Secondary certificate to Primary, Exchange will automatically trust the new Primary Cert,and OWA access will continue to function as normal without any downtime.

 

Posted in ADFS 3.0, Exchange 2013 | Leave a comment