If you receive the following error when trying to use single sign on with Office 365, your token signing certificate may have expired.
“There was a problem accessing the site. Try to browse the site again.”
Microsoft warns that this will happen:
“The token signing certificate expires every year: By default, AD FS 2.0 generates a new token signing certificate, which is a self-signed certificate, 20 days before the certificate expires each year. Certificate rollover, or generating a new certificate when the existing certificate is about to expire and then promoting it to the primary certificate, applies only to self-signed certificates that are generated by AD FS 2.0.”
“You can configure when AD FS 2.0 generates the new token signing certificate. When the certificate rollover time comes, AD FS 2.0 generates a new certificate with the same name as the expiring certificate but with a different private key and thumbprint. Once a new certificate is generated, it will remain as a secondary certificate for five days before being promoted as the primary certificate. Five days is the default period, but this is configurable.”
In my case, our certificate was set to expire on 3/21/2012, and the 20 day mark would have been on 3/1/2012. Our single-sign on stopped working around that time.
I checked the ADFS Admin event log and sure enough, there was event ID 358 on 3/1/2012 indicating that there was a change detected in the certificates. “Requests that are served by endpoints of this service host may fail during restart”
Also, Event ID 335 stated “MSIS10005: Certificate rollover service has added certificate with thumbprint xx to 'Encryption' certificate collection.”
MSIS10005: Certificate rollover service has added certificate with thumbprint xx to 'Signing' certificate collection.
So if you see event 335 you have 5 days to proactively run the Update-MSOLFederatedDomain cmdlet before users will be unable to sign into Office 365.
On 3/6/2012, I noticed Event ID 358
“Restarting SAML Token Issuance ServiceHost. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart.”
“Restarting Issuance ServiceHost. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart. “
Followed by two event ID 335
“MSIS10004: Certificate rollover service has set certificate with thumbprint xx as primary 'Encryption' certificate.”
“MSIS10004: Certificate rollover service has set certificate with thumbprint xx as primary 'Signing' certificate.
It is deceiving because these are ‘Informational’ event ID’s instead of ‘Warning’ or Errors and therefore would not get noticed by someone monitoring the event log for problems. (I usually only look at Warnings and Errors when looking at events).
The token signing certificate does not reside in the internal certificate store on the server, so it is not possible to check the expiration date using the MMC -> Certificates snap-in. The only way I have found to find the expiration date is to check run the Get-MSOLFederationProperty cmdlet on the ADFS server.
Solving the problem
1. Logon to ADFS server
2. Launch the Microsoft Online Services Identity Federation Management Tool (powershell) and run $cred=Get-Credential
3. connect-msolservice -credential $cred
4. Set-MSOLContextCredential -MSOLAdminCredentials $cred
5. Get-MSOLFederationProperty -DomainName catapultsystems.com (save output)
6. Update-MSOLFederatedDomain -DomainName catapultsystems.com
7. Get-MSOLFederationProperty -DomainName catapultsystems.com (compare with original output to see if serial number was updated)
You should now be able to sign into Office 365.