Fixing ADFS AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys

Today my Office 365 ADFS sign in process was broken. Skype for Business (running from Office 365) wouldn’t sign in, and when I tried to sign in to portal.office.com I ended up at a page saying:

Sign In
Sorry, but we're having trouble signing you in.
We received a bad request.
Additional technical information:
Correlation ID: (some GUID)
Timestanp: (now)
AADSTS50008: Unable to verify token signature. The signing key identifier does
not match any valid registered keys.

Worked fine yesterday. I’d not touched anything.

ADFS itself was working fine, I could sign in via https://adfs.rcmtech.co.uk/adfs/ls/idpinitiatedsignon.htm

The Web Application Proxy Servers looked fine too.

I checked the AD FS management console, and noticed under Service – Certificates that the Token-decrypting and Token-signing certificates all had today as their Effective Date.

The fix was to fire up PowerShell and use

Connect-MsolService -Credential (Get-Credential)
Set-MsolADFSContext -Computer adfsserver01.rcmtech.co.uk
Update-MsolFederatedDomain -DomainName rcmtech.co.uk

where the credentials are those of my rcmtechcouk.onmicrosoft.com global admin account, and adfsserver01.rcmtech.co.uk is the name of one of my internal ADFS servers.

That updates the certificate details that Office 365 (Azure AD) has so that they match the certificate used by ADFS.

Advertisements
This entry was posted in Security and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s