Article ID: 2530569 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article discusses how to troubleshoot single sign-on setup issues in a Microsoft cloud service such as Office 365, Windows Intune, or Microsoft Azure.

Detailed implementation guidance for single sign-on (SSO) is available in the Azure Active Directory (Azure AD) Help documentation. If you encounter a problem when you set up SSO by using that guidance, you can refer to this article. It provides a roadmap to help troubleshoot common problems with each setup step.

PROCEDURE

How to troubleshoot SSO setup

Step 1: Prepare Active Directory

Setup guidance
Go to the following Microsoft website:
Prepare for single sign-on
Validation for step 1
Use the Microsoft Office 365 Deployment Readiness Tool to scan Active Directory for issues that might cause directory synchronization issues.

Note Only user accounts that have user principal name (UPN) suffixes that match the domain that's federated for single sign-on (SSO) can take advantage of SSO features.

For more information about the Office 365 Deployment Readiness Tool, go to the following Microsoft website:
Microsoft Office 365 Deployment Readiness Tool
Troubleshoot issues with validation for step 1
The Deployment Readiness Tool report provides inline links to Microsoft Online Deployment Guide troubleshooting guidance for the particular problems that are detected. To troubleshoot, follow these steps:
  1. Use Deployment Readiness Tool inline links to Microsoft Online Deployment Guide guidance to resolve problems that the tool detects.

    Note Incorrect preparation of Active Directory or failure to resolve issues that the tool identifies can result in directory synchronization problems in step 4. Follow the troubleshooting guidance that is offered by the Deployment Readiness Tool to correct the problems, and make sure that the Deployment Readiness Tool runs without any errors. This prevents the following problems from occurring later in the implementation:
    • 2392130 Troubleshoot user name issues that occur for federated users when they sign in to Office 365, Azure, or Windows Intune  
    • 2001616 A user's Office 365 email address unexpectedly contains an underscore character after directory synchronization
    • 2643629 One or more objects don't sync when using the Azure Active Directory Sync tool
  2. Rerun the validation steps to check whether the issue is resolved.

Step 2: Active Directory Federation Services (AD FS) architecture

Setup guidance

Go to the following Microsoft websites:

Note Microsoft Support will not help customers with the execution of the setup guidance in these links.

Step 3: Azure Active Directory Module for Windows PowerShell for SSO

Setup guidance
Go to the following Microsoft website:
Install Windows PowerShell for single sign-on with AD FS
Validation for step 3
To validate the Azure Active Directory Module for Windows PowerShell for SSO, follow these steps:
  1. Run the Azure Active Directory Module for Windows PowerShell as an admin.
  2. Type the following commands, and make sure that you press Enter after you type each command:
    1. $cred=Get-Credential

      Note When you're prompted, type your cloud service admin credentials.
    2. Connect-MsolService -Credential $cred

      Note This command connects you to Azure AD. You must create a context that connects you to Azure AD before you run any of the additional cmdlets that are installed by the Azure Active Directory Module for Windows PowerShell.
    3. Set-MsolAdfscontext -Computer <AD FS 2.0 primary server>


      Notes
      • If you installed the Azure Active Directory Module for Windows PowerShell on the primary Active Directory Federation Services (AD FS) server, you don't have to run this cmdlet.
      • In this command, the placeholder <AD FS 2.0 primary server> represents the internal fully qualified domain name (FQDN) of the primary AD FS server. This command creates a context that connects you to AD FS.
    4. Get-MSOLFederationProperty -DomainName <federated domain name>

      Note In this command, the placeholder <federated domain name> represents the domain name that was federated in the setup steps.
  3. Compare the first half (Source: AD FS Server) and last half (Source: Microsoft Office 365) of the output of the Get-MSOLFederationProperty command that you ran in step 2D to make sure that all entries match. If they don't match, use the "Resolution" section of the following Microsoft Knowledge Base article to update the relying party trust data:

    2647020 "Sorry, but we're having trouble signing you in" and "80041317" or "80043431" error when a federated user tries to sign in to Office 365, Azure, or Windows Intune 
Troubleshoot issues with validation for step 3

To troubleshoot, follow these steps:
  1. Troubleshoot common validation problems by using the following Microsoft Knowledge Base articles, as appropriate for your situation:
    • 2461873 You can't open the Azure Active Directory Module for Windows PowerShell 
    • 2494043 You can't connect by using the Azure Active Directory Module for Windows PowerShell
    • 2587730 "The connection to <ServerName> Active Directory Federation Services 2.0 server failed" error when you use the Set-MsolADFSContext cmdlet
    • 2279117 An administrator cannot add a domain to an Office 365 account
    • Error when you run the New-MsolFederatedDomain cmdlet for the second time because domain verification fails. For more information about this scenario, see the following Knowledge Base article:
      2515404 Troubleshoot domain verification issues in Office 365
    • 2618887 "Federation service identifier specified in the AD FS 2.0 server is already in use." error when you try to set up another federated domain in Office 365, Azure, or Windows Intune
    • Time issues cause issues with the New-MSOLFederatedDomain cmdlet or the Convert-MSOLDomainToFederated cmdlet. For more information about this scenario, see the following Knowledge Base article:
      2578667 "Sorry, but we're having trouble signing you in" and "80045C06" error when a federated user tries to sign in to Office 365, Azure, or Windows Intune
  2. Rerun the validation steps to check whether the issue is resolved.

Step 4: Implement Active Directory synchronization

Setup guidance
Go to the following Microsoft websites:
Validation for step 4
To validate, follow these steps:
  1. Run the Azure Active Directory Module for Windows PowerShell as an admin.
  2. Type the following commands. Make sure that you press Enter after you type each command.
    1. $cred=Get-Credential


      Note When you're prompted, type your cloud service admin credentials.
    2. Connect-MsolService -Credential $cred


      Note This command connects you to Azure AD. You must create a context that connects you to Azure AD before you run any of the additional cmdlets that are installed by the Azure Active Directory Module for Windows PowerShell.
    3. Get-MSOLCompanyInformation
  3. Check the LastDirSyncTime value from the output of the previous commands, and make sure that it shows a synchronization after the Azure Active Directory Sync Tool was installed.

    Note The date and time stamp for this value is displayed in Coordinated Universal Time (Greenwich Mean Time).
  4. If LastDirSyncTime isn't updated, monitor the Application log of the server on which the Azure Active Directory Sync Tool is installed for the following event:
    • Source: Directory Synchronization
    • Event ID: 4
    • Level: Information
    This event indicates that directory synchronization finished on the server. When this happens, rerun these steps to make sure that the LastDirSyncTime value was updated appropriately.
Troubleshoot problems with validation for step 4

Troubleshoot common validation problems by using the following Microsoft Knowledge Base articles, as appropriate for your situation:
  • 2386445  Error when you run the Azure Active Directory Sync tool: "Your version of the Windows Azure Active Directory Sync Configuration Wizard is outdated" 
  • 2310320 Error when you try to run the Azure Active Directory Sync Tool Configuration Wizard: "Your credentials could not be authenticated. Retype your credentials and try again" 
  • 2508225 "LogonUser() Failed with error code: 1789" after you enter enterprise administrator credentials in the Azure Active Directory Sync tool Configuration Wizard
  • 2502710 "An unknown error occurred with the Microsoft Online Services Sign-in Assistant" error when you run the Azure Active Directory Sync Tool Configuration Wizard 
  • 2419250 "The computer must be joined to a domain" error when you try to install the Azure Active Directory Sync Tool 
  • 2643629 One or more objects don't sync when using the Azure Active Directory Sync tool
  • 2641663 How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for Directory Synchronization
  • 2492140 You can't assign a federated domain to a user in the Office 365 portal

Step 5: Office 365 client preparedness

Setup guidance
  1. Check client prerequisites for Office 365. For more information about the system requirements for Office 365, go to Office 365 system requirements.
  2. Run Office 365 Desktop Setup on all client computers that use rich client applications. Rich client applications include Microsoft Outlook, Microsoft Lync 2010, Microsoft Office Professional Plus 2010, Azure Active Directory Module for Windows PowerShell. Office desktop applications, and Microsoft SharePoint integration applications. 

    Note Office 365 Desktop Setup is available at http://g.microsoftonline.com/0BX10en/436?!Office365DesktopSetup.application.
  3. If a seamless, no-prompt experience is expected for domain-joined and domain-connected client computers, add the AD FS Federation Service URL to the local intranet zone in Windows Internet Explorer. For example, do the following:
    1. In Internet Explorer, on the Tools menu, click Internet Options.
    2. Click the Security tab, click Local intranet, click Sites, and then click Advanced.
    3. Type https://sts.contoso.com in the Add this website to the zone box, and then click Add.

      Note "sts.contoso.com" represents the FQDN of the AD FS Federation Service.
    For more information about this configuration, see the following Microsoft Knowledge Base article:
    2535227 A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource
  4. If domain-joined and domain-connected client computers access Internet resources by using a proxy server that resolves Internet addresses by using public DNS queries (and not internal, split-brain DNS), add the AD FS Federation Service URL to the list for which Internet Explorer will bypass proxy filtering. The following is an example of how to add the URL to the Internet Explorer exceptions list:
    1. In Internet Explorer, on the Tools menu, click Internet Options.
    2. On the Connections tab, click LAN settings, and then click Advanced.
    3. In the Exceptions box, enter the value by using the fully qualified DNS name of the AD FS service endpoint name. For example, enter sts.contoso.com.
Validation for step 5

To validate, follow these steps:
  1. Make sure that Microsoft Online Services Sign-in Assistant service is installed and running. To do this, follow these steps:
    1. Click Start, click Run, type Services.msc, and then click OK.
    2. Locate the Microsoft Online Services Sign-in Assistant entry, and then make sure that the service is running.
    3. If the service isn't running, right-click the entry, and then select Start.
  2. Go to the AD FS MEX website to make sure that the endpoint is part of the Internet Explorer intranet security zone. To do this, follow these steps:
    1. Start Internet Explorer, and then go to the AD FS service endpoint website. The following is an example of a service endpoint website:
      https://sts.contoso.com/federationmetadata/2007-06/federationmetadata.xml
    2. Check the status bar at the bottom of the window to make sure that the security zone that's indicated for this URL is Local intranet.

Step 6: Final validation

On a configured client computer, test the expected SSO authentication experience. To do this, authenticate by using a federated user account. You may want to test authentication of a federated user in the following scenarios:
  • In the on-premises network and authenticated to the on-premises Active Directory
  • From an Internet-neutral IP location and not authenticated to the on-premises Active Directory
To validate, follow these steps:
  1. Run the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit to test validating enterprise SSO by using the following Microsoft Knowledge Base article:
    2598459 How to use the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit to diagnose single sign-on (SSO) issues in Office 365
  2. Test web authentication. To do this, use one of the following methods:
    • Sign in to the cloud service portal as a federated user by using local Active Directory credentials.
    • Sign in to Outlook Web App as a federated user (by using local Active Directory credentials) who has an Exchange Online mailbox. For example, sign in to Outlook Web App at the following URL:
      https://outlook.com/owa/contoso.com
      Note In this URL, "contoso.com" represents the federated domain name.
    • Sign in to Microsoft SharePoint Online as a federated user (by using local Active Directory credentials) who has access to the Team Site collection. For example, sign in to SharePoint Online at the following URL:
      http://contoso.sharepoint.com
      Note In this URL, "contoso" represents your organization's name.
  3. Test rich client or active requestor authentication. To do this, follow these steps:
    1. Configure a Lync Online client profile for a federated user account, and then sign in to the account by using local Active Directory credentials.
    2. Sign in to Azure Active Directory Module for Windows PowerShell by using a federated user account that has global admin credentials through the connect-MSOLService cmdlet.
  4. Test Exchange Online basic authentication by using Microsoft Remote Connectivity Analyzer. For more information about how to use Remote Connectivity Analyzer, see the following article in the Microsoft Knowledge Base: 
    2650717  How to use Remote Connectivity Analyzer to troubleshoot single sign-on issues for Office 365, Azure, or Windows Intune
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2530569 - Last Review: July 1, 2014 - Revision: 73.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a o365e o365022013 o365m KB2530569

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com