ADFS – All Things Microsoft 365

The following event log on the ADFS server indicates the SSL certificate has expired:


Log Name:      AD FS/Admin
Source:        AD FS
Date:          4/23/2018 11:35:49 AM
Event ID:      381
Task Category: None
Level:         Error
Keywords:      AD FS
Description:
An error occurred during an attempt to build the certificate chain for configuration certificate identified by thumbprint '365CB832EA38FB61E74C57AF6E875233507DD25E'. Possible causes are that the certificate has been revoked or certificate is not within its validity period. 
The following errors occurred while building the certificate chain:  
MSIS2013: A required certificate is not within its validity period when verifying against the current system clock.
User Action: 
Ensure that the certificate is valid and has not been revoked or expired

Log Name: AD FS/Admin

Source: AD FS

Date: 4/23/2018 11:35:49 AM

Event ID: 381

Task Category: None

Level: Error

Keywords: AD FS

Description:

An error occurred during an attempt to build the certificate chain for configuration certificate identified by thumbprint '365CB832EA38FB61E74C57AF6E875233507DD25E'. Possible causes are that the certificate has been revoked or certificate is not within its validity period.

The following errors occurred while building the certificate chain:

MSIS2013: A required certificate is not within its validity period when verifying against the current system clock.

User Action:

Ensure that the certificate is valid and has not been revoked or expired

ADFS Management Console shows the certificates:

Running the following command we can see the certificate settings for ADFS:


Get-AdfsProperties | FL AutoCert*, Certificate*
AutoCertificateRollover        : False
CertificateCriticalThreshold   : 2
CertificateDuration            : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold  : 5
CertificateRolloverInterval    : 720
CertificateSharingContainer    :
CertificateThresholdMultiplier : 1440

Get-AdfsProperties | FL AutoCert*, Certificate*

AutoCertificateRollover : False

CertificateCriticalThreshold : 2

CertificateDuration : 365

CertificateGenerationThreshold : 20

CertificatePromotionThreshold : 5

CertificateRolloverInterval : 720

CertificateSharingContainer :

CertificateThresholdMultiplier : 1440

I changed the settings to Auto Rollover and have a certificate duration for 3 years.


Set-AdfsProperties -CertificateDuration 1095 -AutoCertificateRollover $True

1 2	Set-AdfsProperties -CertificateDuration 1095 -AutoCertificateRollover $True

Looking at the ADFS certificates now shows the decrypting certificate has been updated.

Without restarting any services the issue has been resolved.

Working with an Office 365 tenant where the authentication was configured with on-prem ADFS servers and all users were getting the following error:

The event logs showed the following two errors:


Source:        AD FS
Date:          4/23/2018 10:49:13 AM
Event ID:      276
Task Category: None
Level:         Error
Keywords:      AD FS
Description:
The federation server proxy was not able to authenticate to the Federation Service. 
User Action 
Ensure that the proxy is trusted by the Federation Service. To do this, log on to the 
    proxy computer with the host name that is identified in the certificate subject name 
    and re-establish trust between the proxy and the Federation Service using the 
    Install-WebApplicationProxy cmdlet.

Source: AD FS

Date: 4/23/2018 10:49:13 AM

Event ID: 276

Task Category: None

Level: Error

Keywords: AD FS

Description:

The federation server proxy was not able to authenticate to the Federation Service.

User Action

Ensure that the proxy is trusted by the Federation Service. To do this, log on to the

proxy computer with the host name that is identified in the certificate subject name

and re-establish trust between the proxy and the Federation Service using the

Install-WebApplicationProxy cmdlet.


Source:        AD FS
Date:          4/23/2018 10:49:33 AM
Event ID:      422
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Description:
Unable to retrieve proxy configuration data from the Federation Service. 
Additional Data 
Trust Certificate Thumbprint: 
0ED6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
Status Code: 
Unauthorized

Source: AD FS

Date: 4/23/2018 10:49:33 AM

Event ID: 422

Task Category: None

Level: Error

Keywords: AD FS

User: NETWORK SERVICE

Description:

Unable to retrieve proxy configuration data from the Federation Service.

Additional Data

Trust Certificate Thumbprint:

0ED6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Status Code:

Unauthorized

To correct the certificate issue I ran the following:


Install-WebApplicationProxy -CertificateThumbprint de49xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -FederationServiceName sts.&lt;domainname.com>

1 2	Install-WebApplicationProxy -CertificateThumbprint de49xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -FederationServiceName sts.<domainname.com>

The event logs now showed:


Log Name:      AD FS/Admin
Source:        AD FS
Date:          4/23/2018 11:24:08 AM
Event ID:      391
Task Category: None
Level:         Information
Keywords:      AD FS
Description:
The federation server proxy was able to successfully establish a trust with the Federation Service.

Log Name: AD FS/Admin

Source: AD FS

Date: 4/23/2018 11:24:08 AM

Event ID: 391

Task Category: None

Level: Information

Keywords: AD FS

Description:

The federation server proxy was able to successfully establish a trust with the Federation Service.

The WAP server is now showing healthy:

Category: ADFS

ADFS Expired Certificate

ADFS Logon Error