Back to All Scenarios
PASSEDinfrastructure / adfs_token_cert_expired
ADFS Token Signing Certificate Expired
The ADFS token signing certificate expires, breaking all federated SSO authentication. Users cannot sign into Office 365, SaaS applications, or any relying party trusts configured to use ADFS for authentication.
Pattern
CERTIFICATE_EXPIRY
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | CERTIFICATE_EXPIRY | CERTIFICATE_EXPIRY | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 9 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
ADFS 2019 farm with 2 servers. Token signing certificate expired 6 hours ago. Auto-rollover disabled. All federated applications rejecting SAML tokens. Office 365 SSO broken. 500 users affected.
Injected Error Messages (2)
ADFS authentication failing — token signing certificate expired 6 hours ago, all SAML assertions rejected by relying parties, ADFS event ID 364: certificate expired and auto-rollover disabled, federated SSO broken for all configured applications, 500 users unable to authenticate
Office 365 SSO authentication broken — ADFS token signing certificate expired, users receiving 'unable to sign in' error, SAML token validation failing at Azure AD, all federated authentication redirecting to ADFS and failing
Neural Engine Root Cause Analysis
The ADFS server is experiencing a complete authentication failure due to an expired token signing certificate that expired 6 hours ago. ADFS event ID 364 confirms the certificate expiration with auto-rollover disabled, meaning the system cannot automatically renew the certificate. This has broken federated SSO for all configured applications, affecting 500 users who cannot authenticate through SAML assertions as relying parties are rejecting all tokens signed with the expired certificate.
Remediation Plan
1. Immediately generate a new token signing certificate on the ADFS server using PowerShell: Add-AdfsCertificate -CertificateType Token-Signing. 2. Update the primary token signing certificate: Set-AdfsCertificate -IsPrimary -Thumbprint <new-cert-thumbprint> -CertificateType Token-Signing. 3. Export the new certificate's public key and update federation metadata on all relying party applications. 4. Restart ADFS service to ensure new certificate is active. 5. Test authentication with a sample user to verify functionality. 6. Enable automatic certificate rollover to prevent future occurrences: Set-AdfsProperties -AutoCertificateRollover $true. 7. Monitor ADFS event logs for successful authentication events.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnck109v063yobqetcm8rhmi