Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

"AD FS Token-Signing certificate is not valid" error after you run the MOSDAL Support Toolkit


View products that this article applies to.

Problem

After you run the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit, the Active Directory Federation Services (AD FS) diagnostics log shows the following error message:
The AD FS Token-Signing certificate is not valid.
Note The log is located at Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt.

Additionally, you may experience one of the following symptoms when you sign in to Office 365 web services by using single sign-on (SSO)-enabled user ID credentials:
  • You receive an "Organization could not sign you in" error message from login.microsoftonline.com.
  • You receive a "There was a problem accessing this site" error message before you can provide credentials to AD FS.

↑ Back to the top


Cause

This issue may occur if one of the following conditions is true:
  • The token-signing certificate is expired because the AD FS certificate auto-renew was deactivated.
  • The token-signing certificate was auto-renewed but not updated to the Windows Azure AD authentication system.

↑ Back to the top


Solution

To resolve this issue, follow these steps.

Step 1

Check the AD FS token-signing certificate for expiration, and renew it as necessary by following the steps in the following Microsoft Knowledge Base article:
2713898 "There was a problem accessing the site" error from AD FS when a federated user signs in to an organizational account

Step 2

Whether the AD FS token-signing certificate is expired or not, this error may also be caused if AD FS token-signing certificate was renewed on the AD FS server without the certificate information being updated in the Windows Azure AD authentication system. To update the AD FS token-signing certificate information in the Windows Azure AD authentication system, see the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:

2647048 How to update or to repair the configuration of the Office 365 federated domain

↑ Back to the top


More information

A script is available to automate the regular updates of the federation metadata. This makes sure that changes to the AD FS token-signing certificate are replicated correctly. The script is available at the following Microsoft website:


This script can be deployed as a Windows scheduled task on the primary AD FS server to make sure that changes to the AD FS configuration (such as trust information and signing certificate updates) are regularly propagated to the Windows Azure AD authentication system. If the token-signing certificate is automatically renewed in an environment where the script is implemented, the script will update the cloud trust information to prevent downtime that is caused by out-of-date cloud certificate information.

↑ Back to the top


Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.

↑ Back to the top


Keywords: o365, mosdal4.5, o365022013, after, upgrade, o365062011, pre-upgrade, o365e, o365m, o365a, KB2707368

↑ Back to the top

Article Info
Article ID : 2707368
Revision : 12
Created on : 9/29/2013
Published on : 9/29/2013
Exists online : False
Views : 655