EvoSTS certificates are managed by Azure Active Directory (Azure AD) and regularly updated individually per tenant, which happens more frequently for some users. The certificate rollover or its schedule is not transparent to the user. It turns out that such a rollover is creating service outages for users running Hybrid Modern Authentication (HMA). The problem occurs when a worker process gets started or recycled or when a machine is brought back from maintenance and diverging key material is present in AD. Upon initialization of any worker process, the first request containing bearer authentication data will load the OAuth libraries and initiate the key material by reading the information from the AuthServer object in AD. After this, the worker process can authenticate the request containing bearer authentication data. However, if the key material in Azure AD (EvoSTS) had been rolled over, it can't authenticate those requests due to invalid message security (key material does not match) as the signature diverges. After a random interval (timer max 30 minutes), the worker process will look up and fetch the key material online via the published metadata endpoint.
Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.