PingOne: How to troubleshoot an invalid certificate error

PingOne: How to troubleshoot an invalid certificate error

Published: 12/30/2013
The AD Connect signing certificate may expire at the end of the certificate’s lifetime.  When this happens users will get a SAML_201 error that reads “Invalid Certificate”.  It looks like this:
 
SAML_201
 
Another way to see that the certificate is invalid and has expired is within the PingOne Administrative Console on the Setup tab view the configuration information for AD Connect.  It may show a date of “Dec 31 1969”.
 
To resolve this error one will need to either renew the existing certificate or create a new certificate and configure AD Connect to use that new certificate.
 
To renew the existing certificate open up MMC on the Windows Server where AD Connect is installed.  This can be done by clicking Start and selecting ‘Run’ and typing in MMC.  Then click File and Add/Remove Snap-in….  Select ‘Certificates’ and click ‘Add >’.  Select ‘Computer account’ and ‘Local computer’.  Then hit ‘Finish’ and ‘OK’.  Add ‘Certificates’ and ‘Personal’ and select ‘Certificates’.  Right-click on the certificate used for signing and click ‘All Tasks’ and ‘Renew’.  As long as the certificate template information is available the certificate can be renewed. If the certificate was purchased from a CA then it will need to be renewed through them.
 
The other option is to create a new certificate.  This can be done through MMC or through IIS in the Server Certificates area.
 
If a new certificate is created then in MMC one will need to select ‘All Tasks’ and ‘Manage Private Keys…’.  Add ‘IIS_IUSRS’ as a user for the given certificate.  These permissions are necessary.
 
Permissions

If the new certificate is created with the same name as the old certificate, any old and/or expired certificates with the same name must be removed via MMC before config.aspx below can be used to update the certificate from ADConnect with IIS to PingOne.

Once the certificate is loaded onto the computer ensure that it’s selected on the config.aspx page.  The URL to access that page is https://%AD Connect domain%/adconnect/config.aspx.  It’s best to login to this page as a ‘Local Administrator’ or login as a user that belongs to the 'Domain Admins' group.  Versions of AD Connect prior to 1.11.xxx required the 'Local Administrator' user.  That version and upcoming versions will allow any user to login as long as they belong to the 'Domain Admins' group.  Note that starting with version 1.14.xxx the full DN is sent along with each user object for provisioning purposes.  On that page select the intended certificate and click ‘Save’.  It is also best to restart the AD Connect Provisioner and Watchdog services just to ensure that the changes are sent to PingOne.
 
One can test that everything is working by visiting the PingOne dock or logging into one of the configured SSO applications.
 
A video is also available. It is titled “Updating Expired Signing Certificate in PingOne ADConnect”.  It covers similar material to this Knowledgebase article. Let the PingOne Support team know if there are any additional questions.
Category:
ADConnect ,