While waiting for Microsoft SharePoint 2016 and the upcoming new features and capabilities in the fields of Hybrid Cloud, maybe you already have an hybrid topology with Microsoft SharePoint 2013.

May also be that you created that topology following the instructions that I provided last year at TechEd Europe 2014, and that you can still find here.

In that case, you probably know that – when you want to enable the hybrid search topology – you have to register your on-premises farm’s STS certificate in the Office 365 tenant. In order to do that you can use the following cmdlet from PowerShell:

New-MsolServicePrincipalCredential

The STS X.509 certificate will be used to authenticate against the SPO tenant. As like as any other X.509 certificate that certificate will expire. Moreover, the Service Principal Credential associated with your on-premises farm will have a StartDate and an EndDate. And what happens when the certificate or the credentials expire? Almost nothing!

I mean: no errors in the UI, no alerts to the users … but the hybrid search outbound will simply stop working and you will get back results from the on-premises index only! Is it cool? Not that much, I guess, but it is understandable … you should not block end-user with fancy error messages, just because of that. However, you will find in the ULS log an exception like the following one: “ACS50027: JWT token is invalid” while sending the remote search request from on-premises to SPO.

How can you fix it? You will simply need to update the certificate and re-issue the credentials using the same PowerShell cmdlet as before, but providing the new certificate and the new EndDate. If you want you can do that “in advance” so that you will replace the certificate “on the run,” without any service interruption for your end users.

More information about the hybrid topologies can be found here.

Enjoy your hybrid topologies.