Environment:
- Active Directory Federation Service (AD FS) role configured on Windows 2012 R2 Active Directory Directory Services (AD DS) Domain Controller (DC)
- WAP 2012 R2 (not domain joined)
- Office 365 tenant subscription w/ on-premises AD synchronizing a federated domain
Error: When trying to authenticate to Office 365, getting a "bad request" error message after entering credentials in AD FS FBA form.
Cause: Experienced the preceding error after certificate changes in the AD FS farm.
Symptoms:
The resolution to get the AD FS service to start is to change the Microsoft Key Distribution Service (KdsSvc) from Manual (Trigger Start) to Automatic (Trigger Start) with the following command from an elevated command prompt:
sc triggerinfo kdssvc start/networkon
- Able to authenticate to test URL (https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx), but not to O365.
Resolution: Need to update ws-fed after any certificate changes in AD FS farm using the following prescribed steps.
Open Windows PowerShell and execute these commands:
Add-PSSnapin Microsoft.Adfs.Powershell
#PS command to re-enable AutoCertificateRollover
Set-AdfsProperties -AutoCertificateRolover $true
#PS command to verify properties
Get-AdfsProperties
# PS command to immediately generate new self-signed certifactes
Update-AdfsCertificate -Urgent
#CMD prompt command to query kdssvc service
sc qtriggerinfo kdssvc
#CMD prompt command to change the kdssvc to automatic and trigger on network connection
sc triggerinfo kdssvc start/networkon
# To update ws-fed after changing ADFS certificates
When using Windows Azure Active Directory Module for Windows PowerShell, run the following command:
connect-MsolService
Update-MsolFederatedDomain -DomainName contoso.com (replace contoso.com with your federated domain name)
Get-MsolFederationProperty -DomainName contoso.com