Back

ADFS Token Signing Certificate Expiry Causes Sign-On Errors

When you install ADFS you must upload your certificate settings thumbprint to the Federated Relying Party in this case Office 365 The default exp...

2 min read
Published on Apr 8, 2012
ADFS Token Signing Certificate Expiry Causes Sign-On Errors

When you install ADFS, you must upload your certificate settings/thumbprint to the Federated Relying Party, in this case, Office 365.  The default expiration with standard ADFS 2.0 installation is a self signing certificate that expires every year.

Symptoms of user Errors in Browser on Office 365 Portal/Service Logon using federated identity:

  • “There was a problem accessing the site. Try to browse the site again.”
  • “Your organization could not sign you in to this service. There may be a system error. Please contact administrator at your organization if this problem persists.”

Application and Services Logs > ADFS 2.0 > Admin:

  • Event ID 358: Restarting Issuance ServiceHost. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart.

Potential Solution If these events occur, it’s a good bet your ADFS signing certificate expired and must be Ensure latest Microsoft Online Services Module for PowerShell installed. Download the module for your 32 or 64 bit system here.

Note - Microsoft Online Services Identity Federation Management PowerShell Module is deprecated and everything can now be configured in the Microsoft Online Services Module.

Powershell Commands:

  • Connect-MsolService Note - You will be prompted for credentials, enter a NON-Federated Office 365 admin account.

  • Optional, only If you’re NOT Running PowerShell From ADFS server: Set-MSOLAdfscontext -Computer YourAdfsServer.mydomain.local

  • Update-MSOLFederatedDomain -DomainName YourDomain.com

  • You can verify the thumbprint updated on Microsoft Online Federation gateway:Get-MSOLFederationProperty -DomainName YourDomain.com

Note – You will also need to update your other SAML Relying Parties such as Concur, Webex, Salesforce, Zendesk, and Google Apps.

If you would like assistance in federation for your organization, please learn more about AgileIdentity, our fixed price identity and access solution.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

NIST SP 800-171 vs 800-172: Key Differences Explained

Key Differences Between NIST SP 800-171 and NIST SP 800-172

Explore the key differences between NIST SP 800-171 and NIST SP 800-172, including how 800-172 enhances security for protecting Controlled Unclassified Information (CUI) against advanced threats.

Nov 4, 2025
6 min read
Tenant Migrations for DFARS-Covered Entities

Handling Sensitive Data in Tenant Migrations for DFARS-Covered Entities

Learn how to securely manage sensitive data during tenant migrations for DFARS-covered entities. Understand CUI protections, cloud tools, and compliance strategies.

Oct 31, 2025
7 min read
Compliant Tenant Migration for DoD Subcontractors

Compliant Tenant-to-Tenant Migration for DoD Subcontractors

Learn how to execute a secure and compliant Microsoft 365 tenant-to-tenant migration for DoD subcontractors while protecting CUI and meeting DFARS and NIST 800-171.

Oct 27, 2025
8 min read
NIST SP 800-171 Considerations in Microsoft 365 Tenant Migrations

NIST SP 800-171 Considerations in Microsoft 365 Tenant Migrations

Ensure compliance with NIST 800-171 when migrating Microsoft 365 tenants. Learn how to secure CUI, meet control requirements, and reduce migration risks.

Oct 27, 2025
7 min read
Secure Tenant Migration for Defense Contractors

Secure Tenant-to-Tenant Migration for Defense Contractors

Learn how defense contractors can perform secure tenant-to-tenant migrations while protecting CUI and meeting DFARS and CMMC requirements.

Oct 27, 2025
8 min read
GCC High Tenant Migration Guide for Secure Environments

How to Migrate Tenants to GCC or GCC High Environments

Learn how to migrate Microsoft 365 tenants to GCC or GCC High for compliance with DFARS, NIST 800-171, and CMMC requirements. Step-by-step guidance included.

Oct 24, 2025
8 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don’t want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122