How to reestablish trust with the Windows Azure AD authentication system after the AD FS server stops responding

Article ID: 2521057 - View products that this article applies to.
Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
(http://office.microsoft.com/redir/HA103982331.aspx)
Expand all | Collapse all

PROBLEM

When a federated user tries to use Active Directory Federation Services (AD FS) to access an Office 365 resource, the user may get the following error message:
There was a problem accessing the site. Try to browse to the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

Reference number: <GUID>
For Internet users, the error occurs after they're prompted for a user name and password.

When this error occurs, the web browser’s address bar points to the on-premises AD FS endpoint at the following address:
https://sts.domain.com/adfs/ls/?cbcxt=&vv=&username=username%40domain.com&mkt=&lc=1033&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%26ct%3D1299115248%26rver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.microsoftonline.com%252FDefault.aspx%26lc%3D1033%26id%3D271346%26bk%3D1299115248
Back to the top | Give Feedback

CAUSE

This issue may occur if the relying party trust is missing or corrupted in the AD FS 2.0 Management Console.  
Back to the top | Give Feedback

SOLUTION

Important This section contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows


To check whether the relying party trust is missing or corrupted in the AD FS 2.0 Management Console, follow these steps:
  1. Log on to the core AD FS server.
  2. Click Start, point to All Programs, click Administrative Tools, and then click AD FS 2.0 Management.
  3. In the management console, expand AD FS 2.0, expand Trust Relationships, and then expand Relying Party Trusts.
  4. Verify that the Microsoft Office 365 Identity Platform entry is present and that it matches the following taxonomy:
    1. On the Monitoring tab, check the following settings:
      • Metadata URL: https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml
      • Monitor Relying Party: selected
      • Automatically update relying party: not selected
    2. On the Identifiers tab, check the following settings:
      • Display Name: Microsoft Office 365 Identity Platform
      • Relying party identifiers:
        • https://login.microsoftonline.com/extSTS.srf
        • urn:federation:MicrosoftOnlineINT
    3. On the Endpoints tab, check the following settings for the WS-Federation Passive Endpoints:
      • URL: https://login.microsoftonline.com/login.srf
      • Index: 0
      • Binding: POST
      • Default: Yes
      • ResponseURL: <blank>
    4. On the Advanced tab, check the following setting:
      • Secure hash algorithm: SHA-1
Note All other tabs and fields are intentionally left blank.

If the relying party trust is present or if it doesn't match the taxonomy that's listed, delete the entry, and then continue with one of the following methods.
Method 1: Re-add or update the federated domain relying party trust
  1. Click Start, point to All Programs, click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run As Administrator.
  2. At the command line, type the following commands, and press Enter after each command:
    1. connect-MSOLService
      When you're prompted, enter your Office 365 admin credentials.
    2. If you run these commands on a server that's not in the AD FS 2.0 Federation server farm, run the following command:

      Set-MsolADFSContext -Computer:<AD FS Servername>
    3. Update-MSOLFederatedDomain -DomainName <Identity_Federated_(AD FS)_Domain_Name>
Method 2: Remove the hardcoded federation metadata endpoint
  1. Open Registry Editor, and then locate the following registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\MOCHA\IdentityFederation
  2. If the FederationMetadataURL string value exists, delete the string value. This will restore the normal functionality of using the metadata endpoint from the relying party trust entry in AD FS.
Back to the top | Give Feedback

REFERENCES

For more info about how to troubleshoot the "There was a problem accessing the site." error message, see the following Microsoft Knowledge Base article:
2383983
(http://support.microsoft.com/kb/2383983 / )
  Error message from AD FS when a federated user signs in to Office 365: "There was a problem accessing the site.”  
Back to the top | Give Feedback

Still need help? Go to the Office 365 Community
(http://community.office365.com/)
website.
Back to the top | Give Feedback

Properties

Article ID: 2521057 - Last Review: May 22, 2013 - Revision: 27.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Windows Azure Active Directory
Keywords: 
o365 o365e o365a o365m o365062011 pre-upgrade o365022013 after upgrade KB2521057
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top