O365 did not update new token signing cert automatically RRS feed

  • Question

  • Hi,

    According to some articles I've read, O365 should automatically pick up the new token signing cert from AD FS once it's rolled over automatically. However, I've found out the hard way today that this wasn't the case, and authentication was broken for users. I've had to manually update all federated domains on O365 with the new cert. We're running AD FS 3.0 on Windows 2012 R2.

    Can someone explain why or point me to the right direction please?



    Thursday, March 23, 2017 4:21 AM

All replies

  • You need to ensure than the FederationMetadata.xml endpoint is reachable from the Internet. Is that the case? Example: https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, March 23, 2017 12:08 PM
  • End point was/is reachable.

    I've noticed that the automatically update relying party box wasn't ticked for the O365 relying party trust. Was this the cause of the issue?

    Thursday, March 23, 2017 11:20 PM