Skip Ribbon Commands
Skip to main content

Xadean's Empirical Musing

:

Quick Launch

Xadean's Empirical Musing > Posts > AD FS “Bad Request” Error After Updating Token-Decrypting and Token-Signing Certificates
February 04
AD FS “Bad Request” Error After Updating Token-Decrypting and Token-Signing Certificates

Environment:

  • Active Directory Federation Service (AD FS) role configured on Windows 2012 R2 Active Directory Directory Services (AD DS) Domain Controller (DC)
  • WAP 2012 R2 (not domain joined)
  • Office 365 tenant subscription w/ on-premises AD synchronizing a federated domain

 

Error: When trying to authenticate to Office 365, getting a "bad request" error message after entering credentials in AD FS FBA form.

 

Cause: Experienced the preceding error after certificate changes in the AD FS farm.

 

Symptoms:

  • AD FS service (adfssrv) hangs in starting state when an AD Group Managed Service account is assigned 'Log On As' (Reference AD Grp Managed Svc Accounts: https://itconnect.uw.edu/wares/msinf/ous/gmsa/).
    • The resolution to get the AD FS service to start is to change the Microsoft Key Distribution Service (KdsSvc) from Manual (Trigger Start) to Automatic (Trigger Start) with the following command from an elevated command prompt:

      sc triggerinfo kdssvc start/networkon

       

  • Able to authenticate to test URL (https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx), but not to O365.

 

Resolution: Need to update ws-fed after any certificate changes in AD FS farm using the following prescribed steps.

Open Windows PowerShell and execute these commands:

Add-PSSnapin Microsoft.Adfs.Powershell

 

#PS command to re-enable AutoCertificateRollover

Set-AdfsProperties -AutoCertificateRolover $true

 

#PS command to verify properties

Get-AdfsProperties

 

# PS command to immediately generate new self-signed certifactes

Update-AdfsCertificate -Urgent

 

#CMD prompt command to query kdssvc service

sc qtriggerinfo kdssvc

 

#CMD prompt command to change the kdssvc to automatic and trigger on network connection

sc triggerinfo kdssvc start/networkon

 

# To update ws-fed after changing ADFS certificates

When using Windows Azure Active Directory Module for Windows PowerShell, run the following command:

 

connect-MsolService

 

Update-MsolFederatedDomain -DomainName contoso.com (replace contoso.com with your federated domain name)

Get-MsolFederationProperty -DomainName contoso.com

Comments

There are no comments for this post.

Add Comment

Title


Body *


CAPTCHA *

 

Attachments