As Office365 was launched just over a year ago, there will be organizations that will run into an issue with their AD FS (SSO) implementation, the result of which is that NO FEDERATED USER is able to Sign In to any of the Office 365 Services!!!!
Set it and forget it works for just 1 year if you implemented AD FS the fast and easy way. A couple of things might have happened in those 12 months:
– Token Signing Certificate is expired
– MSOL Services Module for Windows Powerhell has not been updated
– Sign In URL Certificate is expired
In this blog post I’ll do a walkthrough of the update process of the first two from this list. The web service (Sign In URL) probably involves a public certificate and has to be updated through IIS Management console after renewing your public web certificate.
Of course it is best to do this BEFORE the expiration dates!!!!
The starting point for renewing the Token Signing Certificate is taking a look a the current settings in both AD FS Management Console and MSOL Powershell:
Open MSOL Services Module for Windows Powershell and enter the following commands:
$cred = Get-Credential (enter your Online Admin credentials)
Connect-MsolService -Credential $cred
Set-MsolADFSContext –Computer <your adfs servername>
Get-MSOLFederationProperty –DomainName <your domainname>
The output looks something like this:
Have a close look at the Token Signing Certificate “not after” date and the thumbprint, which are both equal on Source: “your AD FS Server” and on Source “Microsoft Office365”.
Open Powershell as Administrator and run:
Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true
You can check the new certificate by looking at the date in the AD FS Management Console:
The command for doing that is:
Update-MSOLFederatedDomain –DomainName <your domainname>
Check the result by entering the following command:
If you did not use the self-signed certificate in AD FS but assigned certificates through your local PKI please see the following website: http://support.microsoft.com/kb/2383983 .
To avoid any issues of this kind you can use the Microsoft Office 365 Federation Metadata Update Automation Installation Tool which you can download from:
Finally, it might be a good idea to check if you are using the latest version of the MSOL Service Module for Windows Powershell. For as far as I know this tool is not automatically updated by Windows Update.