Article ID: 2707368 - View products that this article applies to.
After you run the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit, the Active Directory Federation Services (AD FS) diagnostics log that's located at Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt shows the following error message:
Note This log is located at Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt.
The AD FS Token-Signing certificate is not valid.
Additionally, you may experience one of the following symptoms when you sign in to your Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune by using a federated account:
This issue may occur if one of the following conditions is true:
To resolve this issue, follow these steps.
Step 1Check the AD FS token-signing certificate for expiration, and renew it as necessary by following the steps in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/2713898/ )There was a problem accessing the site" error from AD FS when a federated user signs in to Office 365, Azure, or Windows Intune
Step 2Whether the AD FS token-signing certificate is expired or not, this error may also be caused if AD FS token-signing certificate was renewed on the AD FS server without the certificate information being updated in the Azure AD authentication system. To update the AD FS token-signing certificate information in the Azure AD authentication system, see the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/2647048/ )How to update or repair the settings of a federated domain in Office 365, Azure, or Windows Intune
A script is available to automate the regular updates of the federation metadata. This makes sure that changes to the AD FS token-signing certificate are replicated correctly. The script is available at the following Microsoft website:
This script can be deployed as a Windows scheduled task on the primary AD FS server to make sure that changes to the AD FS configuration (such as trust information and signing certificate updates) are regularly propagated to the Azure AD authentication system. If the token-signing certificate is automatically renewed in an environment where the script is implemented, the script will update the cloud trust information to prevent downtime that is caused by out-of-date cloud certificate information.
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2707368 - Last Review: July 9, 2014 - Revision: 20.0