Add a verification certificate to an account partner
Applies To: Windows Server 2003 R2
When a token-signing certificate is replaced on a server that is running the Federation Service component of Active Directory Federation Services (ADFS), you must export the new token to a file and then add the token to the trust policy that is used by federation servers that receive tokens from that Federation Service. In addition, if the Federation Service is acting in the account role, the verification certificate must be added to the account node in the respective resource partner.
After you export the public portion of the token-signing certificate, use the following procedure to add it as the verification certificate on the account node in the resource partner.
Note
To prevent downtime, do not remove the existing verification certificate until the new token-signing certificate has been added on the originating federation server. To prevent the need for re-authentication, wait 10 hours (the default lifetime for an access token) or until all access tokens have expired.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
To add a verification certificate to an account partner
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, double-click Account Partners, right-click the account partner, and then click Properties.
Click the Verification Certificates tab, and then click Add.
In the Browse for Verification Certificate file dialog box, locate the certificate file that you want to add.
Select the certificate file, and then click Open.
In the Trust Policy Properties dialog box, click OK.
See Also
Concepts
Rolling Over a Token-signing Certificate
Add a verification certificate to the trust policy
Export the public key portion of a token-signing certificate
Remove a verification certificate