Problem
An Office 365 single sign on environment has been disabled (due to server being offline for an extended period of time) and on trying to re-enable Single Sign on is not working. Specifically, when being re-directed from the Office 365 portal to the federated server sts.domain.com you get a http 503 error. Also you may have noticed the token signing certificates in ADFS have exired.
Cause
The proxy trust certificate is a rolling certificate valid for 2 weeks and periodically updated. If the servers are offline for more than two weeks the ADFS server will lose its trust relationship with the ADFS Proxy server.
Solution
The certificates that had expired needed to be re-newed. To do this we simply ran the Azure AD Connect tool on the ADFS server. Once this was run, we noticed the expired certificates has been renewed.
Second, we need to install the new ADFS certificate thumbprint in the ADFS Proxy Server (Web Appication Proxy). To do this, on the ADFS server we ran:
Get-ADFSSSlcertificate
and noted the thumprint for the new certificate
On the ADFS Proxy Server (Web Application Proxy) we ran:
Install-WebApplicationProxy -CertificateThumbprint “22121D02DCBF80F440B5E26D52B92BC255D59F95” -FederationServiceName “sts.domain.com”
We then had to enter the DOMAIN credentials.
Reference, Links and Imges