Understanding the ADFS Token Signing and Decrypting Certificates Rollover Process


Active Directory Federation Services (ADFS) creates and manages the two certificates used for the tokens issued. These are the Token-signing and Token-decrypting certificates. By default, these certificates are valid for one year from their creation and around the one-year mark, they will renew themselves automatically via the Auto Certificate Rollover feature in ADFS. Once this happens, CRM can no longer properly authenticate users as it still holds the old certificates’ metadata in the database. This is easily resolved by rerunning the “Configure Claims Based Authentication” and “Configure Internet Facing Deployment” wizards from the CRM Deployment Manager and then issuing an IISRESET on the CRM server(s).

More details and resolution can be found in this KB: http://support.microsoft.com/kb/2686840

While most CRM administrators understand that aspect, there are a number of settings and configurations that lead up to this issue that are less well-known to most. One of the biggest complexities is understanding EXACTLY when CRM will be going down because of the Auto Certificate Rollover and how to avoid it. We will be going through that today.

We will start with the process that ADFS goes through for certificate renewal:

  1. ADFS determines that its certificates will be expiring soon.
  2. ADFS creates new certificates and sets them as secondary certificates.
  3. ADFS updates the new certificates to primary certificates.

There are a number of settings for ADFS only accessible via PowerShell that control the Auto Certificate Rollover options and properties for the process above. To access these, open an administrative PowerShell prompt and execute the following (Note that if you are using ADFS 2.0, you will need to add the ADFS PowerShell Snap-In first by executing Add-PSSnapin Microsoft.ADFS.PowerShell):

adfs1

 

This will display a listing of the deployment properties for ADFS, including the properties around the certificates and rollover. For our purposes, we will keep our focus on just a handful of these properties:

  • AutoCertificateRolloveradfs2
  • CertificateDuration
  • CertificateGenerationThreshold
  • CertificatePromotionThreshold
  • CertificateRolloverInterval

adfsgrid

 

So what do all of these values mean? Below are the same steps provided earlier but now account for the values in the table above.

  1. ADFS determines that its certificates will be expiring within 20 days.
  2. ADFS creates new certificates valid for 365 days and sets them as secondary certificates.
  3. After 5 days’ time the Certificate Management Cycle kicks off and ADFS updates the new certificates to primary certificates.

As you can see, knowing these values can greatly help in planning for certificate rollover. Here is an example:

In the screenshot below, we can see our primary certificates expire on 2/12/2015 and ADFS has already created new certificates to rollover. The new (secondary) certificates were created 20 days prior to the expiration of the primary certificates (1/23/2015). On 1/28/2015, 5 days after the creation of the new certificates, ADFS will change them to primaries.

adfscert

 

In the above example, you know your deadline is 1/28/2015. Rather than sitting back and waiting until CRM goes down, plan a short outage afterhours and roll the certificates over manually! You can force ADFS to generate new certificates and promote them to primaries immediately using the following command in PowerShell:

adfs3

 

Once the new certificates are in place in ADFS, re-run the Claims and IFD Wizards in the CRM Deployment Manager to update the metadata and issue an IISReset on the CRM server(s). Voila! Happy CRM users!

Of course, given the properties we have at our disposal to modify there is much more you can do to create a better life for yourself. For example, set the CertificateDuration to 1095 days (three years) rather than just 365 (one year) so this is not as frequent of an issue. Another idea would be to set the CertificateGenerationThreshold lower so the actual rollover date is closer to the true expiration of the certificate. Or just turn off AutoCertificateRollover altogether, set a reminder, and take care of it all manually before expiration!

Another great post from my team at www.Tribridge.com

 


Join me at CRMUG Summit in Reno NV October 13-16


Join me at the CRMUG Summit In Reno NV. This is the premier Dynamics CRM Event of the year. Don’t miss out, not too late to register below.

renosummit

 

More details..

http://www.crmugsummit.com/home

Here’s my preliminary schedule. Please refer to the website!

Monday, October 12

8:00pm-10:00pm @ Peppermill – Terrace Lounge Chapter Leader Bash

Tuesday, October 13

2:00pm-4:30pm @ Atlantis: Paradise D & E Volunteer Immersion at CRMUG Summit
5:00pm-8:00pm @ Hall 2 Welcoming Expo Reception

Wednesday, October 14

7:00am-8:00am @ Hall 1 Breakfast – Jump Into a Great Day
9:15am-9:45am @ Ballroom Lobby Networking Break
9:45am-10:45am @ D2 Getting Ready to Pull the CRM Trigger
11:15am-12:25pm @ C4 CRMUG Opening General Session – Microsoft Keynote
1:30pm-2:30pm @ D4 The CRM Superhero’s Tips, Tricks, and Toolbox
1:30pm-2:30pm @ D2 Scouting & Preparing as CRM GameDay Draws Near
2:30pm-3:00pm @ Ballroom Lobby Networking Break
4:00pm-4:30pm @ Ballroom Lobby Networking Break
4:30pm-6:00pm @ D2 ADFS & Upgrading with a Mobile State of Mind
6:00pm-8:00pm @ Hall 2 Expo Reception

Tribridge Customer Party – Invitation Only 7pm on..

Please contact me if your a customer or prospect and did not receive an invitation.

Thursday, October 15

7:00am-8:00am @ Hall 1 Breakfast – Jump Into a Great Day
8:00am-9:00am @ D2 Getting that CRM Upgrade to Purr Like a Kitten
9:00am-9:30am @ Ballroom Lobby Networking Break
10:30am-11:00am @ Ballroom Lobby Networking Break
11:00am-12:00pm @ C4 CRMUG General Community Session
12:00pm-2:00pm @ Halls 1 & 2 Networking Lunch and Expo
2:00pm-3:00pm @ D7 Going OnPremise to CRM Online
2:00pm-3:00pm @ C1 Take It to the Next Level with End User Experience Upgrades in CRM 2015
3:00pm-3:15pm @ Ballroom Lobby Networking Break
3:15pm-4:15pm @ D4 Ask the MVPs: Admin-Foundation Edition
3:15pm-4:15pm @ D7 Ask the Experts – User Adoption Edition: Enterprise CRM Strategies and Pitfalls to Avoid
4:15pm-4:45pm @ Ballroom Lobby Networking Break
4:45pm-5:45pm @ D2 Dissecting Multifaceted CRM Upgrades

Friday, October 16 – CANCLLED

8:00am-9:15am @ D2 Deployment Method of Choice  CANCELLED

 

 


Join me at CRMUG Summit 2014!


summit

 

 

 

 

It’s that time of year again, when all the CRM User base gets together for the biggest CRM user group event of the year. CRMUG Summit is a great place to learn, network and do all things CRM! Some details to the event can be found here.

If you’re attending, see my schedule below. Stop by to ask a question or just say hello!

Dynamics Partner Conference Oct 13-14

DynamicsPartnerConfernence

CRMUG Summit 2014 October 15-17
cmrug

Please note the 2:15 session has been moved to 8am that morning, giving you plenty of time to catch your flights.

I will be at both the MVP sessions.
mvp

mvp1


Microsoft Convergence 2013: ADFS Presentation


Please find my latest presentation on ADFS from Microsoft Convergence 2013. This presentation includes topics like SSL Certificates, DNS Entries, Firewall, Common Deployments, ADFS Proxy Servers, IFD, ADFS Installation, Tips and Tricks, Troubleshooting and ADFS Errors.

Please note the ADFS central link is not yet live on this site. This is the e-book I’m creating for ADFS installations. Stay tuned.

Download: ADFS Best Practices Presentation


CRM 2011: ADFS Service Federated Metadata Error – Keyset does not exist


Reviewing a client’s ADFS configuration,  I found an unusually error message in the ADFS service federation metadata saying “Keyset does not exist”.

After searching for all the usually culprits, this turned out to be one of the most commonly forgotten issues – Giving access to the service account to manage the private keys for the certificate.

This can be accomplished by openning the MMC, and adding the snapin for Certificate Management. Ensure your add using the Computer Acount. Once the Certificate MMC is launched, you can find the certificate in the personal certificate store, and right click on it, all tasks, maanged proviate keys.

You can now add the service account and give it the proper permissions as seen below:

 

 

 

 

 

 

 

 

 

 

 

 

You will need to do this both on the CRM and ADFS Servers (any server using your certificate for CRM).


CRM 2011: ADFS SSL Certifcate Expiration (Auto-Rollover) and CRM is now down.


CRM 2011 ADFS comes with a unqiue feature: Auto-Rollover for SSL Certification expiration. You must load the new SSL certificate on the box prior to the Auto-Rollover. We are finding out this might be as automatic as once thought.

If your ADFS console looks like the following and your CRM is not working the steps are listed below:

 

 

From the CRM Deployment Manager, run the through the configuration wizards for setting up both Claims based Authentication and Internet Facing Deployment (IFD). These located on the top right of the CRM deployment manager. You just need to click next through again, all the values will be there from your existing setup. Next, Restart the IIS Server (IISReset on a administrator command prompt) on the CRM Server as shown below:

 

 

Next, on the ADFS server, locate the ADFS Windows Service in services, and restart the service, the issue and IISRestart command as above. You may also restart the service from the command line:

 

 

 

Now you should be able to succesfully use your CRM system again. Enjoy

Please see my other posts about enabled auto-rollover:

http://cognettacloud.com/?p=464

 

 


CRM 2011: ADFS certificate expiration – Yellow Warning Triangle in ADFS Management Console


ADFS uses standard SSL certificates to secure it’s communicatons. SSL certificates are not static, and often change on a yearly basis. This will cause the warning condition in the ADFS management console as seen below:

 Once you enter the ADFS management console, under the relying party trust you will see:

 

 

 

 

Once you replace the certificate in the MMC or IIS manager, upon restarting the ADFS Service the message will still be displayed. Using powershell, you can update the ADFS cache mechanism by entering the following commands:

 

 

 

 

A great blog post from Rhys Goodwin about troubleshooting ADFS issues:

http://blog.rhysgoodwin.com/windows-admin/adfs-2-0-in-a-forest-trust-environment/


Using CRM 4 with Required Client Side Certificates?


We could not find a document or knowledge base article as to where a CRM 4.0 Customer had installed and was using client side certificates with the REQUIRED flag checked.

It turns out that while you can setup IIS to accept client side certificates selecting the REQUIRED option will break CRM functionality:

  • Configuring the Outlook Client
  • Load Data function in the Email Router Configuration Wizard
  • Async Service Processing System Jobs
  • Registering Plugs.

This has been confirmed by Microsoft Support as is not specific to CRM but rather to applications dependent on calling webservices. The only option is to not set the REQUIRED flag, which defeats the purpose of required certificates.

 


CRM 2011: Reinstallation of ADFS fails after installation removal.


When installing ADFS to support your CRM 2011 IFD installation, if you have any errors or stop the install, the install will leave directories under the default website that need to be deleted.

You can run this from the command prompt:

appcmd delete app “Default Web Site/adfs/ls

This will delete the website. You can also view the application pool in IIS to see all applications still associated to the application pool as shown:


CRM 2011 ADFS/IFD Installation Tip: Using the BackConnectionHostNames Registry Key


During the CRM 2011 installation process for ADFS/IFD, you will notice issues when resolving external non matching internal domain references (crm.microsoft.com to crm.go.local) especially when using the SSL certficates. This can take hours of tracing and troubleshooting to realize its related to a new lookback feature introduced with Windows 2003 Server SP1.

The solution is to add to key BackConnectionHostNames to the registry, with the DNS, most likely your ADFS and internalcrm webserver FQDN (fully qualified domain names ie xxxx.companyname.com)

Click Start, click Run, type regedit, and then click OK.

In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_04.Right-click MSV1_0, point to New, and then click Multi-String Value.

Type BackConnectionHostNames, and then press ENTER.

Right-click BackConnectionHostNames, and then click Modify.

In the Value data box, type the host name or the host names (Adfs.companyname.com the external address for the ADFS system) for the sites that are on the local computer, and then click OK.

Quit Registry Editor, and then restart the IISAdmin service from the command prompt using IISRestart

http://support.microsoft.com/kb/896861