Ok that’s weird, yesterday all was still fine, no updates have been done. On the Tenant Website server, I opened the event log and noticed errors: Error: Unhandled exception: Security Token Validation Exception: Jwt10329: Unable to validate signature, Configuration. If you use ADFS for the Admin portal and receive the same error you should rerun the part that reconfigures ADFS – Admin Authentication: Import-Module -Name Mgmt Svc Config $Connection String = 'Data Source=SQL01\WAP; Initial Catalog=Microsoft. Actually this next part is the same as we discussed on Pascal’s blog on renaming ADFS URL in an WAP environment Import-Module -Name Mgmt Svc Config $Connection String = 'Data Source=SQL01\WAP; Initial Catalog=Microsoft. And after that I was able to successful login to the Azure Pack Portal! ' Set-Mgmt Svc Relying Party Settings -Target Admin -Metadata Endpoint 'https://sts.adfsserver.tld/Federation Metadata/2007-06/Federation Metadata.xml' -Connection String $Connection String #-Disable Certificate Validation Set-Mgmt Svc Identity Provider Settings -Target Windows -Metadata Endpoint 'https://wapackadminportal.tld/Federation Metadata/2007-06/Federation Metadata.xml' -Connection String $Connection String #-Disable Certificate Validation #When using self-signed certificates uncomment the "–Disable Certificate Validation".
The other argument I’ve seen against self-signed Token-Signing certificates is that it reduces the overall security of the AD FS solution as the certificate cannot be validated back to a trusted certificate authority.This would be true for the majority of services, however not with AD FS Token-Signing.The Service Communication certificate validates the authenticity of a federation service as a whole and not the Token-Signing certificate.The public key of the Token-Signing certificate is provided during establishment of federation trusts so that the application or service receiving a signed security token can verify the signature.Recently a Kloud client raised a query about the use of self-signed certificates versus use of a commercial certificate from a public certificate authority for the AD FS Token Signing certificate. In answering the query, I noticed contradictory opinions from various sites – but not much in the way of explanation of why one type is better than the other in respect to token-signing.