Unsolved Implementing Federated Identity Part 4 (70-414)

---

Hey, I was wondering the reasoning behind not adding a Token-Decryption Cert in the same manner the Token-Signing Cert was added? This is around 19:00 into the video.

@Brandon-Martin3,

We're weren't ignoring your question just wanted to get the information from Adam himself. Here's his reply:

"
Brandon,

I hope all is well. Great question !

Federation servers use a token-decryption certificate when a relying party federation server must decrypt tokens that are issued with an older certificate after a new certificate is set as the primary decryption certificate. Active Directory Federation Services (AD FS) uses the Secure Sockets Layer (SSL) certificate for Internet Information Services (IIS) as the default decryption certificate.

In a production environment, you would certainly need to add a Token-Decryption certificate if you had issued tokens with an older decryption certificate and then set a new one in place as the primary. In the demo, we set a primary, but have not issued any tokens using the older cert that we replace, so there was no reason to add a token-decryption certificate in as part of the walkthrough.

=============================================================================

You can use the following procedure to add the token-decrypting certificate to the AD FS Management snap-in from a file that you have exported.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure.

To add a token-decrypting certificate

On the Start screen, typeAD FS Management, and then press ENTER.
In the console tree, double-click Service, and then click Certificates.
In the Actions pane, click the Add Token-Decrypting Certificate link.
In the Browse for Certificate file dialog box, navigate to the certificate file that you want to add, select the certificate file, and then click Open. ``