Scrap my last post… Today I found I could no longer login to sharepoint and other federated services were acting strangely. I tried to troubleshoot but ultimately gave up.

Finally came the time to see if my weekly VM backups (and nightly incrementals) were actually any good… 15 minutes later and everything’s back to how it was 2 night’s ago!

Screen Shot 2015-04-21 at 15.48.06

Thankfully Veeam worked a treat and ADFS was back working perfectly BUT we still have our expiring SSL warning.

Screen Shot 2015-04-21 at 21.00.32

My theory as to what went wrong before… Whilst I had updated my SSL certificates on my on-premise ADFS server (including the token signing certificate), I think the Office365 hosted servers also need this same matching certificate. So, let’s try a different approach.

This time I followed a different link http://www.kraak.com/?p=190. I started the same way as before, replacing the SSL certificate in IIS. However, I didn’t update the token-signing or token-decrypting certificates in ADFS. Instead I issued the following commands;

Connect-MsolService
Get-MsolFederationProperty -DomainName tickett.net

At this stage, I can essentially see that both the ADFS Server (on-premise) and Microsoft Office 365 (hosted) certificates match;

Screen Shot 2015-04-21 at 21.16.46

At this point I noticed that, not only did they (obviously) bare the old dates, but they also bare the internal server name (and not the FQDN of either my old or new SSL certificates for IIS). This further backs up my theory that using the same certificate for IIS and ADFS yesterday was wrong. And in fact, it appears ADFS generates it’s own certificates when instructed to do so;

Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true
Get-MsolFederationProperty -DomainName tickett.net

Screen Shot 2015-04-21 at 21.24.05

Right, we’re part way there. The ADFS Server certificate has now been renewed, but the Microsoft Office 365 certificate now needs to be updated;

Update-MsolFederatedDomain -DomainName tickett.net
Get-MsolFederationProperty -DomainName tickett.net

Bingo, now they both match! Exactly the same sequence of commands now needs to be executed for the token-decrypting certificate;

Update-ADFSCertificate -CertificateType: Token-Decrypting -Urgent:$true
Update-MsolFederatedDomain -DomainName tickett.net

And voila! I can now login perfectly to all my federated/SSO application/sites and Office365 webmail no longer warns me about a certificate approaching expiry.