When you install ADFS, you must upload your certificate settings/thumbprint to the Federated Relying Party, in this case, Office 365. The default expiration with standard ADFS 2.0 installation is a self signing certificate that expires every year.
Symptoms of user Errors in Browser on Office 365 Portal/Service Logon using federated identity:
- “There was a problem accessing the site. Try to browse the site again.”
- “Your organization could not sign you in to this service. There may be a system error. Please contact administrator at your organization if this problem persists.”
Application and Services Logs > ADFS 2.0 > Admin:
- Event ID 358: Restarting Issuance ServiceHost. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart.
If these events occur, it’s a good bet your ADFS signing certificate expired and must be Ensure latest Microsoft Online Services Module for PowerShell installed. Download the module for your 32 or 64 bit system here.
Note – Microsoft Online Services Identity Federation Management PowerShell Module is deprecated and everything can now be configured in the Microsoft Online Services Module.
Note – You will be prompted for credentials, enter a NON-Federated Office 365 admin account.
- Optional, only If you’re NOT Running PowerShell From ADFS server:
Set-MSOLAdfscontext -Computer YourAdfsServer.mydomain.local
- Update-MSOLFederatedDomain -DomainName YourDomain.com
- You can verify the thumbprint updated on Microsoft Online Federation gateway:
Get-MSOLFederationProperty -DomainName YourDomain.com
Note – You will also need to update your other SAML Relying Parties such as Concur, Webex, Salesforce, Zendesk, and Google Apps.
If you would like assistance in federation for your organization, please learn more about AgileIdentity, our fixed price identity and access solution.