ADFS Claims Trust Provider with expired certificate

0
votes

Hi I have multiple IDPs registered under our ADFS Claims Trust Provider. One of the IDP's federation metadata has expired certificate. Corresponding party has successful integration (with expired certificate) with other 3rd party Service Provider (non MS platform). So basically I was told to integrate this IDP with expired certificate under our ADFS SP. Now every time when User from this IDP logs in and try to get redirected via ADFS we get following error in event log.

An error occurred during an attempt to build the certificate chain for the claims provider trust 'https://xyz.com/opensso' certificate identified by thumbprint 'D13412341231312312311231313123'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period.

You can use Windows PowerShell commands for AD FS to configure the revocation settings for the claims provider trust's signing certificate. Claims provider trust's signing certificate revocation settings: None The following errors occurred while building the certificate chain:
MSIS2013: A required certificate is not within its validity period when verifying against the current system clock.

User Action: Ensure that the claims provider trust's signing certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).

I already tried following cmdlets but no success so far. Set-ADFSClaimsProviderTrust -TargetName "ABC Test" -SigningCertificateRevocationCheck "None" Set-ADFSClaimsProviderTrust -TargetName "ABC Test" -EncryptionCertificateRevocationCheck "None"

We are using ADFS 3.0 in farm setup. Is it really possible to use Claims Identity Provider with expired certificate?

Thanks

1
certificateprovideradfsclaims

1 Answers

1
votes

No - it's not.

All based on trust and if the certificate has expired so has the trust.

The commands that you are running are simply telling ADFS not to verify the validity of the certificate in terms of the CA signing authority.

There is no command to unexpire a certificate - you need to get a new, valid one.

And that's the way it should it should be from a security PoV.