Export (0) Print
Expand All

AD FS 2.0 token signing certificate roll over results in loss of access to all Office 365 services

Published: March 24, 2013

Updated: June 16, 2014

Applies To: Azure, Office 365, Windows Intune

If single sign-on users (also known as federated users) are experiencing any of the following symptoms, it may be due to an expired certificate that needs to be updated in Microsoft Azure Active Directory (Microsoft Azure AD).

  • One or more users cannot access any of the Microsoft cloud services that your organization has subscribed to (for example, Microsoft Exchange Online, Lync Online, SharePoint Online, and so on).

  • A federated user attempting to access Microsoft cloud services such as Microsoft Office 365 using their browser (for example, Office Web Apps) sees the following error message on a web page with the URL that starts with the following:

    https://login.microsoftonline.com/login.srf: Your organization could not sign you in to this service. There was a problem accessing the site. Try to browse to the site again. If the problem persists, contact the administrator of this site and provide the reference number to identify the problem. Reference number: <GUID>

    If your users are experiencing the above symptoms, it may be related to an expired token-signing certificate in Azure AD.

TipTip
You can confirm whether this is the issue by using the procedure in the Determine the start and end of the grace period section.

Active Directory Federation Services (AD FS) 2.0 provides single sign-on access to Microsoft cloud services such as Office 365 by authenticating users via their existing Active Directory Domain Services (AD DS) credentials. To set up single sign-on access, you first need to set up a federated trust between your on-premises AD FS 2.0 Service and Azure AD.

Azure AD provides the cloud authentication platform that Microsoft cloud services, such as Office 365, rely on for integration with your local on-premises AD DS environment. For more information see Azure Active Directory.

When a federated user signs in to Microsoft cloud services, AD FS 2.0 applies a digital signature to a security token that is sent to Azure AD. When validating a token, Azure AD verifies that the certificate information associated with the signature in the token matches the certificate information that is stored as part of the trust between the local AD FS 2.0 service and Azure AD.

By default, AD FS 2.0 uses token-signing certificates that are valid for one year. A new certificate is automatically generated 20 days before each certificate expires. Once the new certificate is generated, there are five days remaining in the grace period in which AD FS 2.0 will not use the certificate for signatures. It is critical that the certificate information in Azure AD is updated prior to the end of the grace period.

ImportantImportant
  1. To ensure continuity of service it is critical to update Azure AD with the new certificate information once a new certificate is generated as described in the How to update Azure AD with a valid token-signing certificate section.

  2. If you are not using the default (automatically generated, self-signed certificates) for token signing, see Guidance for customers not using AD FS self-signed certificates section.

noteNote
For information on modifying the default settings for AD FS 2.0 certificate rollover, see the TechNet Wiki article AD FS 2.0: How To Modify The Duration of AutoCertificateRollover Certificates

You can use the following steps to determine the start and end of the grace period.

  1. Ensure that you are logged on to the primary AD FS 2.0 federation server. In Windows PowerShell, run the following commands:

    Add-PSSnapin "microsoft.adfs.powershell"

    Get-ADFSCertificate -CertificateType token-signing

  2. In the command output, locate the certificate for which the IsPrimary value is equal to True, then that is the certificate that AD FS 2.0 is currently using to sign tokens.

  3. Look at the Not After date of the certificate. By default, your grace period will start 20 days prior to this date.  By default, the end of the grace period is 5 days after the start of the grace period. 

  4. If you are within the grace period, look for any additional certificates listed. Ensure that there is a certificate for which the IsPrimary value is False and that the Not After date of this certificate is over 60 days in the future. Then, use the procedure in the How to update Azure AD with a valid token-signing certificate section to update the certificate information in Azure AD. Doing so allows you to avoid an outage.

  5. If your system is near, but not yet within the grace period, you can proactively generate a new certificate prior to the end of the grace period. To do so, follow the procedure in the How to Generate a New Certificate Manually Prior to the End of the Grace Period section. After doing so, ensure that you update the certificate information in Azure AD using the steps under How to update Azure AD with a valid token-signing certificate section. This way, you do not need to take action again until the grace period for the new certificate (approximately 345 days in the future).

The steps in this section allow you to:

  • Verify whether an update of Azure ADcertificate information is required

  • Update Azure ADwith the new certificate information

These steps are recommended if any of the following are true:

Perform the following steps while logged on to the primary AD FS 2.0 server that has the Microsoft Azure Active Directory Module for Windows PowerShell installed.

noteNote
The Microsoft Online Services Sign-In Assistant is a pre-requisite for the Microsoft Azure Active Directory Module for Windows PowerShell

  1. Open the Microsoft Azure Active Directory Module for Windows PowerShell. Alternatively, open Windows PowerShell and then run the command Import-Module msonline

  2. Connect to Azure AD by run the following command: Connect-MsolService, and then, enter your global administrator credentials.

    noteNote
    If you are running these commands on a computer that is not the AD FS 2.0 primary federation server, enter the following command first: Set-MsolADFSContext –Computer <servername>. Replace <servername> with the name of the AD FS 2.0 server. Then enter the administrator credentials for the AD FS 2.0 server when prompted.

  3. Optionally, verify whether an update is required by checking the current certificate information in Azure AD. To do so, run the following command: Get-MsolFederationProperty. Enter the name of the Federated domain when prompted.

    noteNote
    The command output is divided into two sections. The first section has ADFS Server as the Source and represents the configuration that is stored in the local AD FS 2.0 service. The second section has a Source of Microsoft Office 365, which represents the configuration that is stored in Microsoft Azure AD Directory. Compare the value of the TokenSigningCertificate attribute in the two sections. Also, compare the NextTokenSigningCertificate attribute in the two sections. If like-named attributes match, this is an outage condition and an update is required (continue with the steps in this section). Otherwise, if you are in the grace period or have recently updated the AD FS 2.0 certificates manually, proceed with the steps below to update the certificate information and avoid an outage.

  4. To update the certificate information in Azure AD, run the following command: Update-MsolFederatedDomain and then enter the domain name when prompted.

    noteNote
    If you see an error when running this command, run the following command: Update-MsolFederatedDomain –SupportMultipleDomain, and then enter the domain name when prompted.

Compare the values of the TokenSigningCertificate attributes in each of the two sections. Then compare the NextTokenSigningCertificate attributes. If the respective attributes match, the domain was updated successfully.

ImportantImportant
Once the AD FS 2.0 token signing certificate has been renewed and updated in Azure AD, re-enroll each AD FS 2.0 proxy by running the AD FS 2.0 Federation Service Configuration Wizard on each federation service proxy server again. This is required because any currently issued proxy tokens are signed by the current AD FS 2.0 token signing certificate and will no longer be valid once the current signing certificate expires. For more information, see the Configure a Computer for the Federation Server Proxy Role article.

You can use the following steps to generate a new certificate manually prior to the end of the grace period.

  1. Ensure that you are logged on to the primary AD FS 2.0 server.

  2. Open Windows PowerShell and run the following command: Add-PSSnapin "microsoft.adfs.powershell"

  3. Optionally, you can check the current signing certificates in AD FS 2.0. To do so, run the following command: Get-ADFSCertificate –CertificateType token-signing. Look at the command output to see the Not After dates of any certificates listed.

  4. To generate a new certificate, execute the following command to renew and update the certificates on the AD FS server:Update-ADFSCertificate –CertificateType token-signing.

  5. Verify the update by running the following command again: Get-ADFSCertificate –CertificateType token-signing

    Two certificates should be listed now, one of which has a Not After date of approximately one year in the future and for which the IsPrimary value is False.

    ImportantImportant
    To avoid a service outage, update the certificate information on Azure AD by running the steps in the How to update Azure AD with a valid token-signing certificate.

If you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually.

You should plan to renew the certificate for AD FS 2.0 approximately 60 days prior to the Not After date that is determined by performing the following procedure.

  1. In Windows PowerShell run the following commands:

    Add-PSSnapin "microsoft.adfs.powershell"
    Get-ADFSCertificate –CertificateType token-signing
    
  2. Look at the command output. The certificate for which the IsPrimary value reads True is the certificate that AD FS 2.0 is currently using to sign tokens.

  3. Look at the Not After date of this certificate.

    ImportantImportant
    The date shown for Not After is the date by which you must configure a new primary token signing certificate. If you do not do so by that date, there will be a service outage five days after that date due to the expiration of the signing certificate.

Once you have obtained a new certificate from your certificate authority, import it into the local machine personal certificate store on each AD FS 2.0 federation server. For instructions, see the Import a Certificate article.

  1. Once you have imported the certificate. Open the AD FS 2.0 Management console.

  2. Expand Service and then select Certificates.

  3. In the Actions pane, click Add Token-Signing Certificate

  4. Select the new certificate from the list of displayed certificates, and then click OK.

    CautionCaution
    Ensure the new certificate has a private key associated with it and that the AD FS 2.0 service account is granted Read permissions to the private key. Verify this on each AD FS 2.0 federation server. To do so, in the Certificates snap-in, right-click the new certificate, click All Tasks, and then click Manage Private Keys.

After installing the new certificate, update Azure AD with the new certificate by using the steps in the How to update Azure AD with a valid token-signing certificate section.

WarningWarning
Notify non Azure AD partners of the new certificate. Then allow a sufficient period of time for the non Azure AD partners to configure the new certificate before performing the procedure in the Promote the new certificate from secondary to primary section.

After allowing a sufficient period of time for all non Azure AD partners to configure the new secondary certificate, promote the secondary certificate to primary using the following procedure:

  1. Open the AD FS 2.0 Management console.

  2. Expand Service and then select Certificates.

  3. Click the secondary token signing certificate.

  4. In the Actions pane, click Set As Primary. Click Yes at the confirmation prompt.

  5. Update Azure AD with the new certificate using steps in the How to update Azure AD with a valid token-signing certificate section.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft