Symptom: After you replace your SSL certificates on your ADFS servers you continue to receive the following alert inside of the Office 365 portal.
Renew your certificates
One of your on-premises Federation Service certificates is expiring. Failure to renew the certificate and update trust properties within XX days will result in a loss of access to all Office 365 services for all users. Update now
Solution: This error can be caused if any of the three primary SSL Certificates that are required to federate to an external identity are nearing their experation date (Service Communications, Token-decrpting, and Token-signing).
Verify which SSL certificate is about to expire
- Login to your primary ADFS server
- Open up Server Manager
- Select Tools -> AD FS Management
- Under AD FS expand Service and select Certificates
- Verify if any certificates are set to expire
- Note: In this case, you can see the Token-decrypting and Token-signing certificates are set to expire soon
Replace the expir(ed)(ing) certificates
Unfortunately, I don't currently have a tutorial on the processes behind replacing each certificate. The process for replacing each certificate is a tad different. Here are a few articles that might help you:
Replacing the Service Communication certificate: http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx
Replacing the token-signing and token-decrypting certificates can be found here: http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-2-0-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx#Replacing_the_Token-Signing_certificate
Update the federated trust with Office 365
- Once your certificates are not nearing their experation date, open up the Windows Azure Active Direcotry Module for Windows PowerShell as an administrator
- Note: Installation instructions and the download for this can be found here: http://technet.microsoft.com/en-us/library/jj151815.aspx
- Note: Installation instructions and the download for this can be found here: http://technet.microsoft.com/en-us/library/jj151815.aspx
- Execute the following command
- Execute the following command
Pingback: Short takes: ADFS certificate expiry; Azure Authenticator setup on Windows Phone; checking if a MSOL tenant name exists - markwilson.it