ADFS and SharePoint – Token Signing Certificate – When auto roll over goes wrong

The Token Signing certificate is designed to auto renew each year, this is great for ADFS but unfortunately SharePoint can have a bit of a hissy fit because the certificate its been using as trusted root authority has now changed.  As with all troubleshooting the best place to start is the Event Viewer, if you are suffering from this issue you’ll see a load of Error 364 and 8311

SharePoint - Error 364 and 8311SharePoint - Certifiate validation error

To fix the problem you need to update the certificate on SharePoint to match the newly created token signing certificate.

Login to the ADFS server and export the token signing certificate to a file

Copy this file to the server hosting SharePoint central admin with a farm account

Find the Trusted Root Authority that is configured to provide claims token for the application and note down the “ID” property of the authority also check the certificate thumbprint:

Run:

Get-SPTrustedRootAuthority

SharePoint - Trusted root authority

Import certificate you exported from the ADFS server:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“DRIVE:\FOLDERNAME\EXPORTEDCERTNAME.cer”)


Update the TrustedRootAuthority

Use the GUID that you noted down and pass in as parameter to –Identity. Command should look like this:

Set-SPTrustedRootAuthority -Identity “409b2278-7567-44b1-b535-802437ac543b” -Certificate $cert

Check that the thumbprint of the certificate is reflecting the thumbprint of the token-signing certificate on the ADFS server by running:

Get-SPTrustedRootAuthority


Update SPTrustedIdentityTokenIssuer

Find the Trusted Root Authority that is configured to provide claims token for the application and note down the “Name” property of the authority:

Get-SPTrustedIdentityTokenIssuer

SharePoint - SPTrustedIdentityTokenIssuer

Update the SPTrustedIdentityTokenIssuer with new certificate, provide the Name of the Token Issuer captured above:

Set-SPTrustedIdentityTokenIssuer “Dev Claims ADFS” -ImportTrustCertificate $cert

Verify that the certificate is has installed using:

Get-SPTrustedIdentityTokenIssuer

Leave a Reply

Your email address will not be published. Required fields are marked *