The Token Signing certificate is designed to auto renew each year, this is great for ADFS but unfortunately SharePoint can have a bit of a hissy fit because the certificate its been using as trusted root authority has now changed. As with all troubleshooting the best place to start is the Event Viewer, if you are suffering from this issue you’ll see a load of Error 364 and 8311
To fix the problem you need to update the certificate on SharePoint to match the newly created token signing certificate.
Login to the ADFS server and export the token signing certificate to a file
Copy this file to the server hosting SharePoint central admin with a farm account
Find the Trusted Root Authority that is configured to provide claims token for the application and note down the “ID” property of the authority also check the certificate thumbprint:
Run:
Get-SPTrustedRootAuthority
Import certificate you exported from the ADFS server:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“DRIVE:\FOLDERNAME\EXPORTEDCERTNAME.cer”)
Update the TrustedRootAuthority
Use the GUID that you noted down and pass in as parameter to –Identity. Command should look like this:
Set-SPTrustedRootAuthority -Identity “409b2278-7567-44b1-b535-802437ac543b” -Certificate $cert
Check that the thumbprint of the certificate is reflecting the thumbprint of the token-signing certificate on the ADFS server by running:
Get-SPTrustedRootAuthority
Update SPTrustedIdentityTokenIssuer
Find the Trusted Root Authority that is configured to provide claims token for the application and note down the “Name” property of the authority:
Get-SPTrustedIdentityTokenIssuer
Update the SPTrustedIdentityTokenIssuer with new certificate, provide the Name of the Token Issuer captured above:
Set-SPTrustedIdentityTokenIssuer “Dev Claims ADFS” -ImportTrustCertificate $cert
Verify that the certificate is has installed using:
Get-SPTrustedIdentityTokenIssuer