Configuring ADFS With Custom Token Signing/Decryption Certificates Fails

Published on Tuesday, April 10, 2012 in

I’m currently setting up a new ADFS infrastructure, and one of the things I’m still struggling with is the Token Signing/Decryption Certificates. From TechNet I read (Certificate Requirements for Federation Servers) it’s recommended to use certificates from your own CA. You can go to a third party, but this would cost you more. You could use the same certificate as used for the ADFS web services, but then that’s against best practices. You could also stick with self signed certificates and thus benefit the automatic certificate rollover feature ADFS offers (TechNet Wiki: AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates) , but if I’m correct when rollover occurs you still have some work updating the Relying Party trusts if these don’t support automated Federation Metadata updates through the ADFS metadata URL. As this probably remains a manual task for certain RPs, I‘d rather stick to proper certificates then anyway. So here comes the customer Certificate Authority to the rescue!

When installing ADFS using a SQL database to store the configuration, you have to use the fsconfig.exe command line tool. Paul Williams made a nice write-up regarding the parameters for this utility: Deploying a federation server with a SQL database.

This command actually seems pretty easy:

fsconfig createsqlfarm /serviceaccount DOMAIN\S_ADFS /sqlconnectionstring "database=ADFSConfiguration;server=SQLSRV\SQLInstance;integrated security=sspi"   /cleanconfig /signingcertthumbprint "fd fd fd 10 55 0b df 63 3b 56 65 2b e1 c7 97 bf 6e 83 fc 1b" /decryptcertthumbprint "77 77 77 c3 8b cb bd bc 5b a0 3a 9d 5d af 8c 57 08 f9 ce 91"

Now this command is supposed to check the default website in IIS for the certificate bound to port 443 and it should extract the subject of the certificate (sts.customer.com) and use that for the ADFS Server URL. So obviously IIS has to be properly configured for HTTPS first. Here’s the error I received:


In words: The following error occurred: The Federation Service name that was determined from the Subject field of the specified certificate is not a valid DNS name. Specify a certificate with a valid Subject name for the Federation Service DNS name, and then try again.

Some remarks:

  • My certificate was based upon a web server template, and was requested from within IIS 7.5 MMC, specifying sts.customer.com as subject
  • Changing the thumbprints to a format without spaces didn’t help for this issue
  • Originally I specified another name for the database, e.g. ADFS_Test_Configuration, the utility happily ignores this and created ADFSConfiguration & ADFSArtifactStore nevertheless…
  • I tried adding a SAN attribute to the ADFS Web certificate, with the subject (sts.customer.com) as value, didn’t help for the issue
  • I tried specifying the certificate thumbprint for the ADFS Web Certificate, I tried specifying the name to be used for the ADFS Service URL, and I tried combining both parameters in the command. All failed…

At some point in time, and after googling a bit, I found this similar case: TechNet FSConfig Errors. No answer though… So I decided to leave out the /signingcertthumbprint and the /decryptcertthumbprint and just use the /autocertrolloverenabled instead. This would configure to use SQL and it would still extract the subject from the ADFS Web Certificate. Guess what, now it was able to do that…. So I ended up using the ADFS PowerShell cmdlets to get my custom certificates in place as I tried to do with the fsconfig utility. Here’s what I did:

  1. Disable automatic certificate rollover
  2. Add my custom Token Signing\Decryption certificates
  3. Set them as primary
  4. Remove the self singed ones

It would be great if anyone could provide me feedback as to whether I’m doing something wrong, missing a prerequisite, or if this is just a bug.

Related Posts

3 Response to Configuring ADFS With Custom Token Signing/Decryption Certificates Fails

14 August, 2012 00:28

I was able to execute the command successfully after I re-created my signing and decrypting certificates. The problem with my original signing and decrypting certificates was that I had specified 'ADFS Signing' and 'ADFS Decrypt' as CN names... When I created new certificates with valid DNS name (like adfs.company.com) and then used the friendly name field to specify 'ADFS Signing' and 'ADFS Decrypt' values to see which one is singing and which one is decrypt then command was OK and my ADFS was configured with correct certificates...

02 September, 2012 17:16

Thanks for the addition! Next time I have to do an installation I'll be sure to give it a try

04 November, 2013 12:13

Thanks for the update, that solved my problem. Had also named my certs "ADFS Signing" and "ADFS Decrypt".

Add Your Comment