🟠 High   ⏱ 5–30 min  Last verified: 18 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Users cannot authenticate to federated applications because AD FS fails token issuance after signing/decrypting certificate rollover mismatch.

Environment & Reproduction

Typically appears after auto-certificate rollover where relying parties have stale metadata or disabled auto-update.

Get-Service adfssrv
Get-AdfsCertificate | Select CertificateType,Thumbprint,NotAfter,IsPrimary
Get-WinEvent -LogName 'AD FS/Admin' -MaxEvents 60

Root Cause Analysis

Token signing cert changed on AD FS but relying trust endpoints still expect old thumbprint, breaking signature validation and claim issuance.

Quick Triage

Validate active certs and identify trusts with stale metadata.

Get-AdfsRelyingPartyTrust | Select Name,AutoUpdateEnabled,MetadataUrl
Get-AdfsProperties | Select AutoCertificateRollover,CertificatePromotionThreshold

Step-by-Step Diagnosis

Trace failing RP requests and compare token-signing cert thumbprints across AD FS and consuming applications.

Get-WinEvent -LogName 'AD FS/Admin' -MaxEvents 100 | Select TimeCreated,Id,Message
Get-AdfsCertificate -CertificateType Token-Signing | Format-List
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
AD FS certificate and trust health checks β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Promote correct token-signing certificate and refresh metadata/trust on all relying parties.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint  -IsPrimary
Update-AdfsRelyingPartyTrust -TargetName ''
Restart-Service adfssrv
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Token-signing rollover correction procedure β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

If RP cannot auto-update metadata, manually import new signing cert into the RP trust store and temporarily retain previous cert for overlap period.

Get-AdfsCertificate -CertificateType Token-Signing
# Export/import cert manually to relying party as required

Verification & Acceptance Criteria

Token issuance succeeds for all critical relying parties and AD FS Admin log no longer shows signature validation failures.

Get-WinEvent -LogName 'AD FS/Admin' -MaxEvents 30 | Where-Object {$_.LevelDisplayName -eq 'Error'}
Test-AdfsServerHealth

Rollback Plan

If partner systems fail with new cert, temporarily re-promote prior cert and coordinate a staged metadata refresh.

Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint  -IsPrimary
Restart-Service adfssrv

Prevention & Hardening

Track rollover dates, automate RP metadata refresh validation, and enforce pre-rollover communication windows.

Get-AdfsCertificate | Select CertificateType,Thumbprint,NotAfter
Get-AdfsRelyingPartyTrust | Select Name,AutoUpdateEnabled

Related to trust metadata staleness, token decryption cert mismatch, and partner-side SAML signature verification errors.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft AD FS certificate management and relying party trust update guidance for federated identity operations.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.