Article ID: 2466333 - View products that this article applies to.

Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
Expand all | Collapse all

On This Page

PROBLEM

A federated user can't authenticate to Microsoft Outlook or to Microsoft Exchange ActiveSync by using a smartphone in Exchange Online.

CAUSE

This issue can occur if one of the following conditions is true:
  • The on-premises Active Directory Federation Services (AD FS) 2.0 federation service isn't available from the public Internet.
  • The Secure Sockets Layer (SSL) certificate that's used by the AD FS 2.0 endpoint is issued by a certification authority that isn't trusted by the Exchange Online data center.
The current Exchange Online endpoint for Outlook uses Basic Authentication or Proxy Authentication. This means that Outlook clients authenticate to the Outlook.com service by using Basic Authentication. If Outlook.com determines that the user is a federated user, it proxies the Basic Authentication over SSL to the user's AD FS 2.0 server on behalf of the client. This action authenticates the user locally and requests a Security Assertion Markup Language (SAML) claim or access token for the user. If a publically available AD FS 2.0 endpoint isn't available, the authentication process isn't successful, and the user is denied access to the service endpoint.

Use Microsoft Remote Connectivity Analyzer to test whether the on-premises AD FS 2.0 federation service is causing Outlook logon problems for federated users. To do this, follow these steps:
  1. In Internet Explorer, browse to https://www.testconnectivity.microsoft.com/?testid=O365Ola.
  2. Type the email address and credentials, click to select the acknowledgement check box near the bottom of the page, type the verification code, and then click Perform Test. This test should be run two times. Run the test by using each of the following credentials:
    • A federated account that has a mailbox in Exchange Online
    • A standard user account that has a mailbox in Exchange Online
      Collapse this imageExpand this image
      Screen shot of the Microsoft Remote Connectivity Analyzer page
  3. Check the results of both tests to determine whether AD FS 2.0 is causing the Outlook sign-in issue.

    a. Drill down to the following node of the Test Details tree:

    Testing RPC/HTTP connectivity
    - ExRCA is attempting to test Autodiscover for john@contoso.com
    - Attempting each method of contacting the Autodiscover service
    - Attempting to contact the Autodiscover service using the HTTP redirect method
    - Attempting to send an Autodiscover POST request to potential Autodiscover URLs
    - ExRCA is attempting to retrieve and XML Autodiscover response from URL htts://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user
     
    Collapse this imageExpand this image
    Screen shot of the SSO-enabled mailbox and the standard mailbox test results


    b. Check whether both the following conditions are true:
    • The federated account can't access Autodiscover and receives an "HTTP 401 authorized response" error message.
    • The standard user account can access Autodiscover.
    If both conditions are true, you have confirmed that SSO failures are causing Outlook authentication to fail.

SOLUTION

To fix this issue, use one of the following methods, as appropriate for your situation:

Method 1: Expose the on-premises AD FS 2.0 federation service to the Internet

Set up an AD FS 2.0 federation server proxy for the on-premises AD FS 2.0 environment (or set up a firewall reverse proxy of the AD FS 2.0 Federation Service) that supports SSO, and then publish the proxy to the Internet.

For more info about the AD FS 2.0 federation server proxy implementation, go to the following Microsoft website:

Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on

Method 2: Troubleshoot problems with the AD FS 2.0 proxy server

For more info about how to troubleshoot AD FS 2.0 proxy server issues, see the following Microsoft Knowledge Base article:
2712961 How to troubleshoot AD FS endpoint connection issues when users sign in to Office 365, Windows Intune, or Windows Azure

REFERENCES

Still need help? Go to the Office 365 Community website.

Properties

Article ID: 2466333 - Last Review: December 3, 2013 - Revision: 19.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Microsoft Exchange Online
Keywords: 
o365 o365a o365e kbgraphxlink o365m o365062011 pre-upgrade o365022013 after upgrade kbgraphic KB2466333

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com