Directory Programming .NET

Hi,

I’ve got a weird one here. I’ve configured a working ADFS B2B test environment and recently I replaced the account partner token signing cert on the resource ADFS server with a new one and deleted the old one. Everything continues to work with the new token signing cert however as soon as I load the ADFS mmc snap-in on the resource server the old token signing cert, the one I delete, reappears in the certificate store (under the Federation node) and my federation environment stops working. See error below. I then have to delete the old certificate again and run an IISRESET to get thing working again using the new token signing cert, until I load the ADFS mmc again of course!!

Has anyone seen this issue before?

Thanks

Stef

------------------------------------------------------------------------------

Event error:

Event Type:        Failure Audit

Event Source:    ADFS Federation Service Auditor

Event Category:                Object Access

Event ID:              501

Date:                     12/06/2008

Time:                     09:06:30

User:                     NT AUTHORITY\NETWORK SERVICE

Computer:          UKAAABBBCCC01

Description:

Transaction ID: {865f335c-1a8f-4c1d-b705-c5d382f73e50}

A token request was received through the Federation Service Proxy. The request for target 'https://external2.smallcomp.co.uk/' was denied, and no tokens were issued.  The request was denied because the inbound evidence could not be verified.

Target URI: https://external2.smallcomp.co.uk/ 

Proxy certificate thumbprint: 7121AFED444E45375A8F43A6F842FE9F61D49BDA

No resource token was issued. 

No logon accelerator token was issued. 

The client did not present a logon accelerator token as evidence. 

The client presented an invalid inbound token as evidence.  The token referenced an X509 certificate whose certificate chain could not be verified. 

Token issuer: urn:federation:bigcomp

Thumbprint: 7FB162052A762EEC3FAE571E0780E2638BD793A2

Error code: 2148081683

I'm guessing, but perhaps this has something to do with the way you can export the policy and use it to connect to a partner.

Try updating the cert, then re-exporting the policy, then re-setup the partner with it again.

The only reason I mention this is because I think the export has the token signing cert in it, or at least some info about it.  One of the experts should know for sure.

This issue was raised internally today and I suspect it is the same. 

The question is how is the certificate being changed?  If you are deleting it via the Federation Node of the certificate store, then this is the problem.  Certificate changes should be done via ADFS.MSC only.

If this is not the case, please post the exact steps you are taking when changing the certificate.

Yes from memory I think I deleted the cert directly out of the certificate store and not using the ADFS.mmc.

Is there a way I can rectify the problem without re-creating the account partner?

If the account partner changes their token signing certificate, then on the resource FS go to the properties of the account partner/verification certificates tab and add the new certificate there.

Hi Jim,

Just wanted to follow up on this posting. I’ve tried installing the new account partner cert using the ADFS console however the old cert still re-appears (in the certificate mmc, federation node) every time I launch the ADFS console. I've tried deleting and re-importing the account trust policy file, but this doesn’t resolve the issue. Is there a way I can manually remove the old certificate from the account trust policy on the resource federation server?