Thursday night, the self-signed token-decrypting certificate at my client expired. Since the client is an IdP, not an RP, we didn't concern ourselves very much with this certificate. Once it failed, ADFS functionality ceased working. We weren't able to renew the self-signed cert, so we replaced it with the third-party cert used for token-signing. After we completed this, the client still could not access O365 via Outlook or Lync clients, although they could access both services via the web client, from network-internal resources. Network-external resources could not access Lync/Outlook via any method. Access to other Federation partners from any resource, whether internal or external to the network, failed. Once the four ADFS proxy servers in the environment were rebuilt, however, everything worked. Two questions:
1. Since the client acts only as an IdP, not as an RP, why did ADFS fail when the token-decrypting certificate expired? It isn't being used for anything.
2. After the cert was replaced, why did the proxies have to be rebuilt?
Thank you.
Ian Kahn, Sr. Consultant
InfraScience, LLC
Alpharetta, GA