This week I had a customer who received an e-mail from Microsoft, about the expiration of there certificate for Single Sign on ( ADFS SSO )

Problem :

The customer has updated this certificate by himself, but still I receives these messages from Microsoft.

Solution :

Check the certificates in MMC (computer certificates) => looks fine

Check the online certificate settings => not good this is the old certificate

Execute these command’s on the internal ADFS server in an elevated powershell

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection

Import-PSSession $Session

Connect-MsolService -Credential $UserCredential

Set-MsolADFSContext –Computer adfs21.domain.nl <= FQDN

Update-MsolFederatedDomain –DomainName domain.nl

Get-MsolFederationProperty –DomainName domain.nl

Check the ADFS serve => still 2 certificates are not changed to the new certificate

These need to be changed

With these error you have to execute:

PS C:\Windows\system32> add-pssnapin microsoft.adfs.powershell

PS C:\Windows\system32> Set-ADFSProperties -AutoCertificateRollover $false

Change the certificate in the actions pane

Select the secondary certificate and select “Set as Primary”

Select the Secondary (old certificate) and click Delete

Now everything is fine

Sync to Office 365 :

Update the domain at Microsoft :

Update-MsolFederatedDomain –DomainName domain.nl

Check at Microsoft:

Get-MsolFederationProperty –DomainName domain.nl

Everything is fine now