One of your on-premises Federation Service certificates is expiring

  • 8 Followers
  • 12 Replies |
  • This post has 1 verified answer |
Answered (Verified) This question is answered

Office 365 portal is telling me: “One of your on-premises Federation Service certificates is expiring. Failure to renew the certificate and update trust properties within 20 days will result in a loss of access to all Office 365 services for all users.”

This gives me a target expiration date of July 16th.

 

However, the cert itself is set to expire on July 31:

>Get-ADFSCertificate -CertificateType token-signing

 [Not After]  7/31/2013 9:31:15 AM

 

AutoCertificateRollover is enabled on that cert, so if I count 20 days before that, it should renew on July 11th.

 

My question is, which do I believe?

Should I wait for the rollover or should I use resolution 2 in http://support.microsoft.com/kb/2383983 to manually renew the cert?

  • Post Points: 20
Verified Answer
  • Hi Bwahaw,

    Recently, we have received some reports that some customers got the similar notification which was false positive.
    In this case, based on the information provided, it should be false positive too. You can safely ignore this notification.

    As far as I know, there is no way to test AutoCertificateRollover. However, AutoCertificateRollover will work when the token-signing certificate is about to expire really.  Generally, in an ADFS environment with Office 365, a new secondary token-signing and a new secondary token-decrypting certificate will be generated 20 days before the current primary of each certificate type will expire.
    In other words, in 7/12/2013, you can check whether a new token-signing and token-decrypting certificate is generated. If so, the current Single Sign-On (SSO) service will keep working.

    Thanks,
    Claud

    • Top 10 Contributor
    • Male
    • Post Points: 0
All Replies
  • Hi Bwahaw,

    Based on my experience, we need to check [Not After] value to avoid expire. In this case, I notice your certificate will be expired soon. I suggest you follow that article to renew the certificate if  AutoCertificateRollover is not working properly.

    Thanks,
    Johnny Zhang

    • Top 25 Contributor
    • Male
    • Post Points: 0
  • how will i know if autocertificaterollover is working properly? and why doesn;t the 365 portal expiration notification reflect the actual expiration date fo the certificate?

    as i said, the expiration date from the 365 portal and the certificate don't exactly line up, so there is still time for autocertificaterollover to prove functional.

    • Not Ranked
    • Post Points: 0
  • Hi Bwahaw,

    Recently, we have received some reports that some customers got the similar notification which was false positive.
    In this case, based on the information provided, it should be false positive too. You can safely ignore this notification.

    As far as I know, there is no way to test AutoCertificateRollover. However, AutoCertificateRollover will work when the token-signing certificate is about to expire really.  Generally, in an ADFS environment with Office 365, a new secondary token-signing and a new secondary token-decrypting certificate will be generated 20 days before the current primary of each certificate type will expire.
    In other words, in 7/12/2013, you can check whether a new token-signing and token-decrypting certificate is generated. If so, the current Single Sign-On (SSO) service will keep working.

    Thanks,
    Claud

    • Top 10 Contributor
    • Male
    • Post Points: 0
  • sweet,

    just to follow up, the secondary cert automatically generated yesterday, and this morning the false-positive 365 portal notification disappeared.

    so it's looking good.

    thank you

    • Not Ranked
    • Post Points: 0
  • How does one verify if the token signing certificate is set to AutoCertificateRollover?  I"m also getting this warning that does not seem to match up with then the certificate is set to expire.  

    Further complicating this is the fact that the article suggested to fix the issue is no longer valid, support.microsoft.com/.../2383983  

    • Not Ranked
    • Post Points: 0
  • well, this is the best link I can find now. maybe the "determine grace period" stuff might get you in the right direction.

    technet.microsoft.com/.../jj933264.aspx

    as an FYI, the autocertificaterollover worked for me, but a couple of my ADFS servers had issues, resulting in trouble updating the new cert at the grace period 5 day mark. this caused sporadic logon issues to 365, and the boss decided to decom ADFS.

    we broke federation with our 365 instance, and i'm quite happy about it. in hindsight, I don't know why we ever federated.

    • Not Ranked
    • Post Points: 0
  • Funny you should mention that.  We're migrating to DirSync with passwordsync in October.  I was hoping we'd be off ADFS by then but this warning is confusing me.  Did you go with DirSync?

    • Not Ranked
    • Post Points: 0
  • heard mixed reviews about dirsyn'sc new password sync abilities, and since we already had a partnership with a company called 365command from back in the BPOS days, so we kept dirsync doing what it has always done, and used 365command's password synch utility (agents on the DC's relays PW updates to a server that syncs to 365) and their add-in for AD to help manage users from new office 365 tabs. realty helps in delegating account creation.

    helped expedite decommissioning our Hybrid environment too.

    • Not Ranked
    • Post Points: 0
  • Hi,

    Is there a formal article / documentation available which states that this is a false positive?

    Thanks

    Sachin Arora

    • Not Ranked
    • Post Points: 0
  • Not sure if I followed up or not, but the certificate indeed autorenewed and I was all set.  didn't have to do anything.

    • Not Ranked
    • Post Points: 0
  • me too wan to small follow ,except service communication,token decrypting and token signing is there any other certificate need to be check on ADFS server ( on premised AD model office 365 ).

    • Not Ranked
    • Post Points: 0
  • No

    • Not Ranked
    • Post Points: 0
Page 1 of 1 (13 items)