Scrap my last post… Today I found I could no longer login to sharepoint and other federated services were acting strangely. I tried to troubleshoot but ultimately gave up.
Finally came the time to see if my weekly VM backups (and nightly incrementals) were actually any good… 15 minutes later and everything’s back to how it was 2 night’s ago!
Thankfully Veeam worked a treat and ADFS was back working perfectly BUT we still have our expiring SSL warning.
My theory as to what went wrong before… Whilst I had updated my SSL certificates on my on-premise ADFS server (including the token signing certificate), I think the Office365 hosted servers also need this same matching certificate. So, let’s try a different approach.
This time I followed a different link http://www.kraak.com/?p=190. I started the same way as before, replacing the SSL certificate in IIS. However, I didn’t update the token-signing or token-decrypting certificates in ADFS. Instead I issued the following commands;
Connect-MsolService Get-MsolFederationProperty -DomainName tickett.net
At this stage, I can essentially see that both the ADFS Server (on-premise) and Microsoft Office 365 (hosted) certificates match;
At this point I noticed that, not only did they (obviously) bare the old dates, but they also bare the internal server name (and not the FQDN of either my old or new SSL certificates for IIS). This further backs up my theory that using the same certificate for IIS and ADFS yesterday was wrong. And in fact, it appears ADFS generates it’s own certificates when instructed to do so;
Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true Get-MsolFederationProperty -DomainName tickett.net
Right, we’re part way there. The ADFS Server certificate has now been renewed, but the Microsoft Office 365 certificate now needs to be updated;
Update-MsolFederatedDomain -DomainName tickett.net Get-MsolFederationProperty -DomainName tickett.net
Bingo, now they both match! Exactly the same sequence of commands now needs to be executed for the token-decrypting certificate;
Update-ADFSCertificate -CertificateType: Token-Decrypting -Urgent:$true Update-MsolFederatedDomain -DomainName tickett.net
And voila! I can now login perfectly to all my federated/SSO application/sites and Office365 webmail no longer warns me about a certificate approaching expiry.