Navigation
This form does not yet contain any fields.
    Login
    « Claims-Based Identity & Access Control Guide RTM (MS Patterns & Practices) | Main | Upcoming Speaking Events »
    Wednesday
    Mar102010

    Shooting yourself in the foot with certificate rollover for fun and profit.

    DateWednesday, March 10, 2010 at 12:16PM

    Alternate title: this weekend's "Adventures in PKI."

    So ADFS 2.0 has this new feature called automatic certificate rollover, which theoretically allows ADFS to generate new service certificates on your behalf when the old ones are close to expiring. This feature is turned on by default if you configure a new ADFS server or server farm via the Config Wizard on initial install.

    In order to manually add/remove certs to a store, such as the token-signing cert store, you need to disable this feature first, so that ADFS will "let go" of the certificate management process. Drop to a PowerShell prompt:

    set-ADFSProperties -AutoCertificateRollover $false

    Easy-peasy.

    (Though I guarantee a slew of administrator-created issues when an admin disables this feature to add a new cert, forgets to turn it back on, and then forgets that they forgot. But we won't see whether I'm right about this for 12-24 months, since that's the average lifetime of a TS cert in most environments. Nevermind, the Internets will remember that I said it. :-))

    Anyway. Shooting yourself in the foot with this feature? Is accomplished by doing the following:

    • Have an ADFS server with this feature turned on.
    • Realize that you've done something stupid with the CDP URL on the TS cert, and you need to issue a new one.

    (watch very carefully, here comes the "Fire!" part)

    • Open the Certificates MMC on the box and delete the TS cert from the computer's personal store...without first removing it from the ADFS MMC.

    What happens next? Is that you open the ADFS MMC and try to add the new TS cert with the fixed-up CDP. MMC barks at you, complaining that AutoCertRollover is on and you need to turn it off.

    Drop out to a PowerShell prompt, issue the command above...

    ...

    ...

    ...and then realize upon staring at the output of the resultant error message, that the cmdlet is checking for the presence of the old cert before it will allow you to turn off AutoCertRollover. (And there's no -force switch to bypass that...unless it's undocumented...and called something other than -force, 'cos I tried that one.)

    So. Where does this leave us?

    • Can't install the new cert into the ADFS MMC without turning off auto cert rollover.
    • Can't turn off auto cert rollover because you deleted the old cert.

    At this point I truly hope you've got a backup of the cert you deleted, complete with private key. (Did you mark it as exportable? And we won't talk about the fact that I didn't, because it was just a test box and I didn't care that much.)

    :-)

    Tip from the ADFS Kitteh. Here to help you people.

    Carry on.

     

    AuthorLaura E. Hunter | CommentPost a Comment |

    Reader Comments

    There are no comments for this journal entry. To create a new comment, use the form below.

    PostPost a New Comment

    Enter your information below to add a new comment.

    My response is on my own website »
    Author Email (optional):
    Author URL (optional):
    Post:
     
    All HTML will be escaped. Hyperlinks will be created for URLs automatically.
    Alert
    Comment Moderation Enabled
    Your comment will not appear until it has been cleared by a website editor.

    Notify me of follow-up comments via email.