If you receive the following error when trying to use single sign on with Office 365, your token signing certificate may have expired.
“There was a problem accessing the site. Try to browse the site again.”
Microsoft warns that this will happen:
“The token signing certificate expires every year: By default, AD FS 2.0 generates a new token signing certificate, which is a self-signed certificate, 20 days before the certificate expires each year. Certificate rollover, or generating a new certificate when the existing certificate is about to expire and then promoting it to the primary certificate, applies only to self-signed certificates that are generated by AD FS 2.0.”
“You can configure when AD FS 2.0 generates the new token signing certificate. When the certificate rollover time comes, AD FS 2.0 generates a new certificate with the same name as the expiring certificate but with a different private key and thumbprint. Once a new certificate is generated, it will remain as a secondary certificate for five days before being promoted as the primary certificate. Five days is the default period, but this is configurable.”
In my case, our certificate was set to expire on 3/21/2012, and the 20 day mark would have been on 3/1/2012. Our single-sign on stopped working around that time.
I checked the ADFS Admin event log and sure enough, there was event ID 358 on 3/1/2012 indicating that there was a change detected in the certificates. “Requests that are served by endpoints of this service host may fail during restart”
Also, Event ID 335 stated “MSIS10005: Certificate rollover service has added certificate with thumbprint xx to ‘Encryption’ certificate collection.”
MSIS10005: Certificate rollover service has added certificate with thumbprint xx to ‘Signing’ certificate collection.
So if you see event 335 you have 5 days to proactively run the Update-MSOLFederatedDomain cmdlet before users will be unable to sign into Office 365.
On 3/6/2012, I noticed Event ID 358
“Restarting SAML Token Issuance ServiceHost. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart.”
“Restarting Issuance ServiceHost. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart. “
Followed by two event ID 335
“MSIS10004: Certificate rollover service has set certificate with thumbprint xx as primary ‘Encryption’ certificate.”
“MSIS10004: Certificate rollover service has set certificate with thumbprint xx as primary ‘Signing’ certificate.
It is deceiving because these are ‘Informational’ event ID’s instead of ‘Warning’ or Errors and therefore would not get noticed by someone monitoring the event log for problems. (I usually only look at Warnings and Errors when looking at events).
The token signing certificate does not reside in the internal certificate store on the server, so it is not possible to check the expiration date using the MMC -> Certificates snap-in. The only way I have found to find the expiration date is to check run the Get-MSOLFederationProperty cmdlet on the ADFS server.
Solving the problem
1. Logon to ADFS server
2. Launch the Microsoft Online Services Module for PowerShell
3. Connect-MsolService (enter) (you will be prompted for your Office 365 credentials)
4. Add-PSSnapin Microsoft.Adfs.powershell
4. Set-MSOLADFSContext (you will be prompted to enter the computer name, type the local netbios name of the computer, ex: constosoadfs01)
5. Get-MSOLFederationProperty -DomainName catapultsystems.com (save output)
If you want to avoid doing this every year you can increase the token signing cert duration from 1 year to 10 years with this command: Set-ADFSProperties -CertificateDuration 3650
At this point if the certificate rollover has not happened, you can force it to occur with this command: Update-ADFSCertificate -CertificateType Token-Signing -Urgent
6. Update-MSOLFederatedDomain -DomainName catapultsystems.com
7. Get-MSOLFederationProperty -DomainName catapultsystems.com (compare with original output to see if serial number was updated)
8. Restart the ADFS service.
9. Logon to the Proxy server and re-run through the ADFS 2.0 configuration wizard.
Note: When updating the communication certificate (ex: Wildcard) you need to swap it out on both ADFS and Proxy, as well as in the IIS Bindings too.
Reference: Great article here: http://www.benjaminathawes.com/2013/07/31/how-to-renew-your-adfs-2-0-token-signing-certificate-in-sharepoint/