Why does upgrading to ADFS 2016 throw an error asking for a thumbprint that does not exist in the ADFS farm?

Question

I have a 3 node 2012 R2 ADFS server farm that uses SQL. I am attempting to upgrade the farm to a 2016 farm by following the instructions laid out in in this article. All the prerequisites checks pass before I try to join the node. However, after I try to join the node to the farm, I get an error saying that a certificate with the thumbprint 6797... was not found in the LocalMachine Store. I believe this is the thumbprint of our original SSL cert, but it has been renewed multiple times and is no longer part of the farm.

I can replicate the behavior using PowerShell and the Add-AdfsFarmNode cmdlet as well. Has anyone else seen this behavior while upgrading to ADFS 2016? What can be done to force ADFS to not be dependent on a cert that is no longer configured in the ADFS Farm?

Answer 1

The problem was that there was still an old, expired secondary token signing cert in the config. Once I deleted that cert from the farm, joining worked right away. I used Get-AdfsCertficate to find out which cert was the problem.