SOLVED

ADFS 3.0 new token-signing cert not in federationmetadata

%3CLINGO-SUB%20id%3D%22lingo-sub-124739%22%20slang%3D%22en-US%22%3EADFS%203.0%20new%20token-signing%20cert%20not%20in%20federationmetadata%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-124739%22%20slang%3D%22en-US%22%3E%3CP%3ELast%20week%20a%20added%20a%20secondary%2C%20internally%20signed%2C%20token-signing%20certificate%20to%20our%20ADFS%203.0%20farm%20in%20advance%20of%20the%20cert%20rollover%20later%20this%20week.%20When%20running%20a%20get-adfsproperties%20to%20validate%20we%20see%20both%20the%20current%20primary%20cert%20and%20the%20new%20secondary%20cert.%20However%2C%20I'm%20not%20seeing%20the%20new%20cert%20in%20our%20federationmetadata.%20Why%20would%20that%20be%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-124739%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-140821%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%203.0%20new%20token-signing%20cert%20not%20in%20federationmetadata%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140821%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewe%20have%20a%20similar%20issue%20with%20our%20federationmetadata.xml%3C%2FP%3E%0A%3CP%3EWe%20generated%20new%20token%20signing%20and%20encryption%20certificates%20on%20Dec.22%202017%20but%20just%20the%20token%20signing%20certificate%20appears%20in%20the%20federationmetadata.xml%20very%20strange.%3C%2FP%3E%0A%3CP%3EThe%20ADFS%20servers%20have%20been%20restarted%20a%20few%20days%20after%20the%20certificate%20generation%20by%20auto%20reboot%20after%20installing%20windows%20updates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ehere%20ist%20the%20output%20of%20the%26nbsp%3B%20web-request%20command%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20%24metadata%20%3D%20Invoke-WebRequest%20-Uri%20%22%3CA%20href%3D%22https%3A%2F%2Fserver.domain.com%2Ffederationmetadata%2F2007-06%2Ffederationmetadata.xml%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fserver.domain.com%2Ffederationmetadata%2F2007-06%2Ffederationmetadata.xml%3C%2FA%3E%22%3CBR%20%2F%3E(%5BXML%5D%20%24metadata.Content).EntityDescriptor.RoleDescriptor.KeyDescriptor%3C%2FP%3E%0A%3CP%3Euse%20KeyInfo%3CBR%20%2F%3E---%20-------%3CBR%20%2F%3Eencryption%20KeyInfo%3CBR%20%2F%3Esigning%20KeyInfo%3CBR%20%2F%3Esigning%20KeyInfo%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20anyone%20have%20an%20idea%20why%20the%20new%20token%20encryption%20certificate%20not%20in%20the%20federationmetadata%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-127207%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%203.0%20new%20token-signing%20cert%20not%20in%20federationmetadata%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-127207%22%20slang%3D%22en-US%22%3E%3CP%3EApologies.......failed%20to%20post%20an%20update%20after%20we%20resolved%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnded%20up%20having%20to%20reboot%20the%20ADFS%20servers.%20Cycling%20the%20ADFS%20service%20wasn't%20enough.%20Likely%20some%20other%20internal%20issue%20that%20needs%20to%20be%20looked%20at%2C%20and%20will%2C%20but%20this%20specific%20problem%20with%20the%20metadata%20is%20resolved.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-127085%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%203.0%20new%20token-signing%20cert%20not%20in%20federationmetadata%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-127085%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20share%20the%20output%20of%20these%20two%20line%3A%3C%2FP%3E%0A%3CPRE%3E%24metadata%20%3D%20Invoke-WebRequest%20-Uri%20%22https%3A%2F%2Fadfs.verenatex.com%2Ffederationmetadata%2F2007-06%2Ffederationmetadata.xml%22%0A(%5BXML%5D%20%24metadata.Content).EntityDescriptor.RoleDescriptor.KeyDescriptor%3C%2FPRE%3E%0A%3CP%3EThe%20output%20does%20not%20contain%20sensitive%20data%20and%20of%20course%2C%20change%20the%20URL%20with%20yours.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Last week a added a secondary, internally signed, token-signing certificate to our ADFS 3.0 farm in advance of the cert rollover later this week. When running a get-adfsproperties to validate we see both the current primary cert and the new secondary cert. However, I'm not seeing the new cert in our federationmetadata. Why would that be?

3 Replies
Highlighted

Can you share the output of these two line:

$metadata = Invoke-WebRequest -Uri "https://adfs.verenatex.com/federationmetadata/2007-06/federationmetadata.xml"
([XML] $metadata.Content).EntityDescriptor.RoleDescriptor.KeyDescriptor

The output does not contain sensitive data and of course, change the URL with yours.

Highlighted
Best Response confirmed by Sloan Ozanne (New Contributor)
Solution

Apologies.......failed to post an update after we resolved it.

 

Ended up having to reboot the ADFS servers. Cycling the ADFS service wasn't enough. Likely some other internal issue that needs to be looked at, and will, but this specific problem with the metadata is resolved.

Highlighted

Hello,

 

we have a similar issue with our federationmetadata.xml

We generated new token signing and encryption certificates on Dec.22 2017 but just the token signing certificate appears in the federationmetadata.xml very strange.

The ADFS servers have been restarted a few days after the certificate generation by auto reboot after installing windows updates.

 

here ist the output of the  web-request command:

 

PS C:\WINDOWS\system32> $metadata = Invoke-WebRequest -Uri "https://server.domain.com/federationmetadata/2007-06/federationmetadata.xml"
([XML] $metadata.Content).EntityDescriptor.RoleDescriptor.KeyDescriptor

use KeyInfo
--- -------
encryption KeyInfo
signing KeyInfo
signing KeyInfo

 

Does anyone have an idea why the new token encryption certificate not in the federationmetadata ?

 

Best regards 

 

Martin