Microsoft TechNet
United States (English) Sign in
Home Library Wiki Learn Gallery Downloads Support Forums Blogs
0 out of 1 rated this helpful - Rate this topic

AD FS 2.0 token signing certificate roll over results in loss of access to all Office 365 services

Published: March 24, 2013

Updated: February 28, 2013

Applies To: Active Directory Federation Services 2.0, Office 365, Windows Intune

If single sign-on users (also known as federated users) are experiencing any of the following symptoms, it may be due to an expired certificate that needs to be updated in Windows Azure Active Directory.

  • One or more users cannot access any of the Microsoft cloud services that your organization has subscribed to (for example, Microsoft Exchange Online, Lync Online, SharePoint Online, and so on).

  • A federated user attempting to access Microsoft cloud services such as Microsoft Office 365 using their browser (for example, Office Web Apps) sees the following error message on a web page with the URL that starts with the following:

    https://login.microsoftonline.com/login.srf: Your organization could not sign you in to this service. There was a problem accessing the site. Try to browse to the site again. If the problem persists, contact the administrator of this site and provide the reference number to identify the problem. Reference number: <GUID>

    If your users are experiencing the above symptoms, it may be related to an expired token-signing certificate in Windows Azure AD.

TipTip
You can confirm whether this is the issue by using the procedure in the Determine the start and end of the grace period section.

More information

Active Directory Federation Services (AD FS) 2.0 provides single sign-on access to Microsoft cloud services such as Office 365 by authenticating users via their existing Active Directory Domain Services (AD DS) credentials. To set up single sign-on access, you first need to set up a federated trust between your on-premises AD FS 2.0 Service and Windows Azure AD.

Windows Azure AD provides the cloud authentication platform that Microsoft cloud services, such as Office 365, rely on for integration with your local on-premises AD DS environment. For more information see Windows Azure Active Directory.

When a federated user signs in to Microsoft cloud services, AD FS 2.0 applies a digital signature to a security token that is sent to Windows Azure AD. When validating a token, Windows Azure AD verifies that the certificate information associated with the signature in the token matches the certificate information that is stored as part of the trust between the local AD FS 2.0 service and Windows Azure AD.

By default, AD FS 2.0 uses token-signing certificates that are valid for one year. A new certificate is automatically generated 20 days before each certificate expires. Once the new certificate is generated, there are five days remaining in the grace period in which AD FS 2.0 will not use the certificate for signatures. It is critical that the certificate information in Windows Azure AD is updated prior to the end of the grace period.

ImportantImportant
  1. To ensure continuity of service it is critical to update Windows Azure AD with the new certificate information once a new certificate is generated as described in the How to update Windows Azure AD with a valid token-signing certificate section.

  2. If you are not using the default (automatically generated, self-signed certificates) for token signing, see Guidance for customers not using AD FS self-signed certificates section.

noteNote
For information on modifying the default settings for AD FS 2.0 certificate rollover, see the TechNet Wiki article AD FS 2.0: How To Modify The Duration of AutoCertificateRollover Certificates

Determine the start and end of the grace period

You can use the following steps to determine the start and end of the grace period.

To determine when the grace period starts and ends

  1. Ensure that you are logged on to the primary AD FS 2.0 federation server. In Windows PowerShell, run the following commands:

    Add-PSSnapin "microsoft.adfs.powershell"

    Get-ADFSCertificate -CertificateType token-signing

  2. In the command output, locate the certificate for which the IsPrimary value is equal to True, then that is the certificate that AD FS 2.0 is currently using to sign tokens.

  3. Look at the Not After date of the certificate. By default, the grace period starts 20 days prior to the Not After date and the end of the grace period is 5 days after the Not After date.

  4. If you are within the grace period, look for any additional certificates listed. Ensure that there is a certificate for which the IsPrimary value is False and that the Not After date of this certificate is over 60 days in the future. Then, use the procedure in the How to update Windows Azure AD with a valid token-signing certificate section to update the certificate information in Windows Azure AD. Doing so allows you to avoid an outage.

  5. If your system is near, but not yet within the grace period, you can proactively generate a new certificate prior to the end of the grace period. To do so, follow the procedure in the How to Generate a New Certificate Manually Prior to the End of the Grace Period section. After doing so, ensure that you update the certificate information in Windows Azure AD using the steps under How to update Windows Azure AD with a valid token-signing certificate section. This way, you do not need to take action again until the grace period for the new certificate (approximately 345 days in the future).

How to update Windows Azure AD with a valid token-signing certificate

The steps in this section allow you to:

  • Verify whether an update of Windows Azure ADcertificate information is required

  • Update Windows Azure ADwith the new certificate information

These steps are recommended if any of the following are true:

Perform the following steps while logged on to the primary AD FS 2.0 server that has the Windows Azure Active Directory Module for Windows PowerShell installed.

noteNote
The Microsoft Online Services Sign-In Assistant is a pre-requisite for the Windows Azure Active Directory Module for Windows PowerShell

To update the Windows Azure AD with a valid token-signing certificate

  1. Open the Windows Azure Active Directory Module for Windows PowerShell. Alternatively, open Windows PowerShell and then run the command Import-Module msonline

  2. Connect to Windows Azure AD by run the following command: Connect-MsolService, and then, enter your global administrator credentials.

    noteNote
    If you are running these commands on a computer that is not the AD FS 2.0 primary federation server, enter the following command first: Set-MsolADFSContext –Computer <servername>. Replace <servername> with the name of the AD FS 2.0 server. Then enter the administrator credentials for the AD FS 2.0 server when prompted.

  3. Optionally, verify whether an update is required by checking the current certificate information in Windows Azure AD. To do so, run the following command: Get-MsolFederationProperty. Enter the name of the Federated domain when prompted.

    noteNote
    The command output is divided into two sections. The first section has ADFS Server as the Source and represents the configuration that is stored in the local AD FS 2.0 service. The second section has a Source of Microsoft Office 365, which represents the configuration that is stored in Windows Azure AD Directory. Compare the value of the TokenSigningCertificate attribute in the two sections. Also, compare the NextTokenSigningCertificate attribute in the two sections. If like-named attributes match, this is an outage condition and an update is required (continue with the steps in this section). Otherwise, if you are in the grace period or have recently updated the AD FS 2.0 certificates manually, proceed with the steps below to update the certificate information and avoid an outage.

  4. To update the certificate information in Windows Azure AD, run the following command: Update-MsolFederatedDomain and then enter the domain name when prompted.

    noteNote
    If you see an error when running this command, run the following command: Update-MsolFederatedDomain –SupportMultipleDomain, and then enter the domain name when prompted.

Compare the values of the TokenSigningCertificate attributes in each of the two sections. Then compare the NextTokenSigningCertificate attributes. If the respective attributes match, the domain was updated successfully.

ImportantImportant
Once the AD FS 2.0 token signing certificate has been renewed and updated in Windows Azure AD, re-enroll each AD FS 2.0 proxy by running the AD FS 2.0 Federation Service Configuration Wizard on each federation service proxy server again. This is required because any currently issued proxy tokens are signed by the current AD FS 2.0 token signing certificate and will no longer be valid once the current signing certificate expires. For more information, see the Configure a Computer for the Federation Server Proxy Role article.

How to Generate a New Certificate Manually Prior to the End of the Grace Period

You can use the following steps to generate a new certificate manually prior to the end of the grace period.

To generate a new certificate manually prior to the end of the grace period

  1. Ensure that you are logged on to the primary AD FS 2.0 server.

  2. Open Windows PowerShell and run the following command: Add-PSSnapin "microsoft.adfs.powershell"

  3. Optionally, you can check the current signing certificates in AD FS 2.0. To do so, run the following command: Get-ADFSCertificate –CertificateType token-signing. Look at the command output to see the Not After dates of any certificates listed.

  4. Verify the update by running the following command again: Get-ADFSCertificate –CertificateType token-signing

    Two certificates should be listed now, one of which has a Not After date of approximately one year in the future and for which the IsPrimary value is False.

    ImportantImportant
    To avoid a service outage, update the certificate information on Windows Azure AD by running the steps in the How to update Windows Azure AD with a valid token-signing certificate.

Guidance for customers not using AD FS self-signed certificates

If you are not using the default automatically generated, self-signed certificates for token signing, you must renew your token signing certificate manually.

Planning for renewal

You should plan to renew the certificate for AD FS 2.0 approximately 60 days prior to the Not After date that is determined by performing the following procedure.

To determine the date which you must configure a new primary token signing certificate

  1. In Windows PowerShell run the following commands:

    Copy 
    Add-PSSnapin "microsoft.adfs.powershell"
Get-ADFSCertificate –CertificateType token-signing

  2. Look at the command output. The certificate for which the IsPrimary value reads True is the certificate that AD FS 2.0 is currently using to sign tokens.

  3. Look at the Not After date of this certificate.

    ImportantImportant
    The date shown for Not After is the date by which you must configure a new primary token signing certificate. If you do not do so by that date, there will be a service outage five days after that date due to the expiration of the signing certificate.

Install a new certificate as a secondary certificate

Once you have obtained a new certificate from your certificate authority, import it into the local machine personal certificate store on each AD FS 2.0 federation server. For instructions, see the Import a Certificate article.

To install a new certificate as a secondary certificate

  1. Once you have imported the certificate. Open the AD FS 2.0 Management console.

  2. Expand Service and then select Certificates.

  3. In the Actions pane, click Add Token-Signing Certificate

  4. Select the new certificate from the list of displayed certificates, and then click OK.

    CautionCaution
    Ensure the new certificate has a private key associated with it and that the AD FS 2.0 service account is granted Read permissions to the private key. Verify this on each AD FS 2.0 federation server. To do so, in the Certificates snap-in, right-click the new certificate, click All Tasks, and then click Manage Private Keys.

After installing the new certificate, update Windows Azure AD with the new certificate by using the steps in the How to update Windows Azure AD with a valid token-signing certificate section.

WarningWarning
Notify non Windows Azure AD partners of the new certificate. Then allow a sufficient period of time for the non Windows Azure AD partners to configure the new certificate before performing the procedure in the Promote the new certificate from secondary to primary section.

Promote the new certificate from secondary to primary

After allowing a sufficient period of time for all non Windows Azure AD partners to configure the new secondary certificate, promote the secondary certificate to primary using the following procedure:

To promote the new certificate from secondary to primary

  1. Open the AD FS 2.0 Management console.

  2. Expand Service and then select Certificates.

  3. Click the secondary token signing certificate.

  4. In the Actions pane, click Set As Primary. Click Yes at the confirmation prompt.

  5. Update Windows Azure AD with the new certificate using steps in the How to update Windows Azure AD with a valid token-signing certificate section.

See Also

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.