This week I had a customer who received an e-mail from Microsoft, about the expiration of there certificate for Single Sign on ( ADFS SSO )
Problem :
The customer has updated this certificate by himself, but still I receives these messages from Microsoft.
Solution :
Check the certificates in MMC (computer certificates) => looks fine
Check the online certificate settings => not good this is the old certificate
Execute these command’s on the internal ADFS server in an elevated powershell
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection
Import-PSSession $Session
Connect-MsolService -Credential $UserCredential
Set-MsolADFSContext –Computer adfs21.domain.nl <= FQDN
Update-MsolFederatedDomain –DomainName domain.nl
Get-MsolFederationProperty –DomainName domain.nl
Check the ADFS serve => still 2 certificates are not changed to the new certificate
These need to be changed
With these error you have to execute:
PS C:\Windows\system32> add-pssnapin microsoft.adfs.powershell
PS C:\Windows\system32> Set-ADFSProperties -AutoCertificateRollover $false
Change the certificate in the actions pane
Select the secondary certificate and select “Set as Primary”
Select the Secondary (old certificate) and click Delete
Now everything is fine
Sync to Office 365 :
Update the domain at Microsoft :
Update-MsolFederatedDomain –DomainName domain.nl
Check at Microsoft:
Get-MsolFederationProperty –DomainName domain.nl
Everything is fine now