Article ID: 2707368 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

After you run the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit, the Active Directory Federation Services (AD FS) diagnostics log that's located at Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt shows the following error message:
The AD FS Token-Signing certificate is not valid.
Note This log is located at Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt.

Additionally, you may experience one of the following symptoms when you sign in to your Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune by using a federated account:
  • You receive an "Organization could not sign you in" error message from login.microsoftonline.com.
  • You receive a "There was a problem accessing this site" error message before you can provide credentials to AD FS.

CAUSE

This issue may occur if one of the following conditions is true:
  • The token-signing certificate is expired because the AD FS certificate auto-renew was deactivated.
  • The token-signing certificate was auto-renewed but not updated to the Azure AD authentication system.

SOLUTION

To resolve this issue, follow these steps.

Step 1

Check the AD FS token-signing certificate for expiration, and renew it as necessary by following the steps in the following Microsoft Knowledge Base article:
2713898  There was a problem accessing the site" error from AD FS when a federated user signs in to Office 365, Azure, or Windows Intune

Step 2

Whether the AD FS token-signing certificate is expired or not, this error may also be caused if AD FS token-signing certificate was renewed on the AD FS server without the certificate information being updated in the Azure AD authentication system. To update the AD FS token-signing certificate information in the Azure AD authentication system, see the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:

2647048 How to update or repair the settings of a federated domain in Office 365, Azure, or Windows Intune

MORE INFORMATION

A script is available to automate the regular updates of the federation metadata. This makes sure that changes to the AD FS token-signing certificate are replicated correctly. The script is available at the following Microsoft website:

http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

This script can be deployed as a Windows scheduled task on the primary AD FS server to make sure that changes to the AD FS configuration (such as trust information and signing certificate updates) are regularly propagated to the Azure AD authentication system. If the token-signing certificate is automatically renewed in an environment where the script is implemented, the script will update the cloud trust information to prevent downtime that is caused by out-of-date cloud certificate information.

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2707368 - Last Review: July 9, 2014 - Revision: 20.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a mosdal4.5 o365022013 o365e o365m KB2707368

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com