SOLVED

ADFS Password Expiration Notification

Highlighted
Occasional Contributor

Hi All,

I have a notification from O365 portal:

"One of your on-premises Federation Service certificates is expiring. Failure to renew the certificate and update trust properties within 5 days will result in a loss of access to all Office 365 services for all users" 

 

I checked my ADFS server i.e. Windows Server 2008 R2, ADFS 2.0 management, Service -> Certificates

The Token-signing shows: expiration date: 16/10/2018 

it does not make sense at all, as today is 26/09/2018, the O365 portal says I have only 5 days left which would be on the 1/10/2018, and the Token-signing cert due date is 16/10/2018.

Can anyone shed a light on my issue, that would be really appreciated.

 

Regards

 

4 Replies
Highlighted

I'm moving this to the Azure Active Directory space for better visibility.

Highlighted
Best Response confirmed by Dzung Vu (Occasional Contributor)
Solution

This is sort of a "known" issue and is intentional in order to make sure you don't overlook this and end up with your users blocked from accessing O365. Simply update the certificate as soon as possible and the notifications will go away. If you need help with the steps: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-o365-certs

Highlighted

Hi,

 

Its very simple, Microsoft wants you to be safe and avoid a resume and generating event, so they make a 30 day. This makes the warning and automatic renewal overlap by 5 days to make sure you have enough time to update Office 365 before the old certificate expires.

 

  • Expiration minus 45 days – Issue federation certificate expiration warning in the Portal
  • Expiration minus 20 days – automatically renew a token-signing certificate
  • Expiration minus 19 days – scheduled task updates Office 365 with a new token-signing certificate.

More information https://www.eshlomo.us/office-365-and-adfs-certificate-notification/

Eli.

Highlighted

Thank you all for your help, I had to replace with the third-party SSL cert, since we've already had in place. and updated IIS with the third-party SSL. All Good!!

Once again, thank you very much

Regards,