Tags

While trying to access ADFS federation metadata or trying to access CRM Org (configured for Claims Based Authentication) will produce the following errors if ADFS Token-signing and Token-decryption certificates are expired.

As viewed from ADFS Management Console:

Errors recorded in the Event Viewer for the above expired certificates:

The thumbprint values in the Error Logs can also be viewed through PS Command as shown below:

To get access to federation metadata again perform the following steps:
  1. Update Token-Signing and Token-Decrypting certificate

Running the above will add a pair of under Token-Signing and Token-Decrypting certificates

Run the PS Command Set-AdfsProperties -AutoCertificateRollover $false and delete the secondary certificate from the ADFS Management console view.

Ensure that the certificate chain is installed correctly under Trusted Root Certification Authorities

After the renewing the Token-Signing and Token-Decrypting certificates the Federationmetadata endpoint should now be accessible.