An Engineers Notebook

HTTP Error 503 when Single Sin On redirecting to ADFS Server After Re-Enabling Single Sign On


An Office 365 single sign on environment has been disabled (due to server being offline for an extended period of time) and on trying to re-enable Single Sign on is not working. Specifically, when being re-directed from the Office 365 portal to the federated server you get a http 503 error.  Also you may have noticed the token signing certificates in ADFS have exired.


The proxy trust certificate is a rolling certificate valid for 2 weeks and periodically updated. If the servers are offline for more than two weeks the ADFS server will lose its trust relationship with the ADFS Proxy server. 


The certificates that had expired needed to be re-newed. To do this we simply ran the Azure AD Connect tool on the ADFS server. Once this was run, we noticed the expired certificates has been renewed.

Second, we need to install the new ADFS certificate thumbprint in the ADFS Proxy Server (Web Appication Proxy). To do this, on the ADFS server we ran:


and noted the thumprint for the new certificate

On the ADFS Proxy Server (Web Application Proxy) we ran:

Install-WebApplicationProxy -CertificateThumbprint “22121D02DCBF80F440B5E26D52B92BC255D59F95” -FederationServiceName “”

We then had to enter the DOMAIN credentials. 

Reference, Links and Imges

Leave a Reply

Your email address will not be published.