Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
When you try to sign in to a Microsoft cloud service such as Microsoft 365, Microsoft Azure, or Microsoft Intune by using a federated account, you receive a certificate warning from the AD FS web service in your browser.
This issue occurs when a validation error is encountered during a certificate test.
Before a certificate can be used to help secure a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) session, the certificate must pass the following standard tests:
Certificate isn't time valid. If the date on the server or client is earlier than the Valid from date or the issue date of the certificate, or if the date on the server or client is later than the Valid to date or the expiration date of the certificate, the connection request issues a warning that's based on this state. To make sure that the certificate passes this test, check whether the certificate actually expired or was applied before it became active. Then, take one of the following actions:
Service-name mismatch. If the URL that's used to make the connection doesn't match the valid names for which the certificate may be used, the connection request issues a warning that's based on this state. To make sure that the certificate passes this test, follow these steps:
Examine the URL in the address bar of the browser that's used to establish the connection.
Note
Focus on the server address (for example, sts.contoso.com) and not on the trailing HTTP syntax (for example, /?request=…).
After you reproduce the error, follow these steps:
Click View Certificates, and then click the Details tab. Compare the URL from step A to the Subject field and to the Subject Alternative Name fields in the Properties dialog box of the certificate.
Verify that the address that's used in step A isn't listed or doesn't match any entries in these fields, or both. If this is the case, the certificate must be reissued to include the server address that was used in step A.
Certificate wasn't issued by a trusted root certification authority (CA). If the client computer that's requesting the connection doesn't trust the CA chain that generated the certificate, the connection request will issue a warning that's based on this state. To make sure that the certificate passes this test, follow these steps:
To resolve this issue, use one of the following methods, depending on the warning message.
To resolve time-valid issues, follow these steps.
Reissue the certificate with an appropriate validity date. For more info about how to install and set up a new SSL certificate for AD FS, see How to change the AD FS 2.0 service communications certificate after it expires.
If an AD FS proxy was deployed, you have to also install the certificate on the default website of the AD FS proxy by using the certificate export and import functions. For more info, see How to remove, import, and export digital certificates.
Important
Make sure that the private key is included in the export or import process. The AD FS Proxy server or servers must also have a copy of the private key installed.
Make sure that the date and time settings on the client computer or on all AD FS servers are correct. The warning will be displayed in error if the operating system date settings are incorrect, and it will incorrectly indicate a value that's outside the Valid fromand Valid torange.
The AD FS service name is set when you run the AD FS Configuration Wizard and is based on the certificate that's bound to the default website. To resolve service name mismatch issues, follow these steps:
If the wrong certificate name was used to generate a replacement certificate, follow these steps:
If the AD FS idP endpoint or smart links are leveraged for a customized sign-in experience, make sure that the server name that's used matches the certificate that's assigned to the AD FS service.
In rare cases, this condition can also be caused by incorrectly trying to change the AD FS service name after implementation.
Important
These kinds of changes will cause an AD FS service outage. After the update, you must follow these steps to restore single sign-on (SSO) functionality:
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
You can resolve issuing certification authority (CA) trust issues by performing one of the following tasks:
Warning
We don't recommend that AD FS use an internal CA when it's leveraged for SSO with Microsoft 365. Using a certificate chain that's not trusted by the Microsoft 365 data center will cause Microsoft Outlook connectivity to Microsoft Exchange Online to fail when Outlook is used with SSO features.
Still need help? Go to Microsoft Community or the Microsoft Entra Forums website.
Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreTraining
Learning path
Multifactor authentication helps secure your environment and resources by requiring that your users confirm their identity by using multiple authentication methods, like a phone call, text message, mobile app notification, or one-time password. You can use multifactor authentication both on-premises and in the cloud to add security for accessing Microsoft online services, remote access applications, and more. This learning path provides an overview of how to use multifactor authentication as part of a cyber
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.