How to use the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit to diagnose single sign-on (SSO) issues in Office 365

Article translations Article translations
Article ID: 2598459 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

The Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit contains a data-collection package that helps you analyze Active Directory Federation Services (AD FS) 2.0 infrastructure, user account preparedness, and Microsoft Office 365 federation trusts. You can use this analysis to help troubleshoot Office 365 single sign-on (SSO) issues. This article contains info about how to interpret the diagnostic info for AD FS 2.0 Authentication and for SSO that's provided in the MOSDAL Support Toolkit.

PROCEDURE

The data flow of any Office 365 SSO communication is predictable. To determine which issues may have occurred during the SSO process, you can use a capture to compare the expected data flow pattern with the data flow that occurs during a failed SSO attempt. The AD FS 2.0 Authentication diagnostic feature of the MOSDAL Support Toolkit lets you capture and compare this kind of data. You can use this info to diagnose SSO and identity federation issues.

How to install the MOSDAL Support Toolkit

To download and install the MOSDAL Support Toolkit, go to the following Microsoft website:
http://www.microsoft.com/en-us/download/details.aspx?id=626

How to collect AD FS 2.0 authentication diagnostic info

To use the MOSDAL Support Toolkit to collect AD FS 2.0 diagnostic info, follow these steps:
  1. Start the MOSDAL Support Toolkit. To do this, click the MOSDAL Support Toolkit desktop shortcut. Or, click Start, point to All Programs, click Mosdal Support Toolkit, and then click MOSDAL Support Toolkit.
  2. Run the MOSDAL Support Toolkit, select the Single sign-on with Active Directory Federation Services check box from the list of Office 365 services, and then click Next.

    Collapse this imageExpand this image
    Screen shot of the Welcome to MOSDAL page
  3. When you're prompted to enter your credentials, enter your user ID or sign-in address, and then click Next. Your password isn't saved and is only used to simulate an authentication attempt and log the results.

    Collapse this imageExpand this image
    Screen shot of the Enter Credentials page
  4. Reproduce the issue, and then click Next.

    Collapse this imageExpand this image
    Screen shot of the reproduce problem page
  5. When the diagnostics are completed, click Exit and Show Files.
  6. When the report is finished, locate the MOSDALREPORT.zip file in the Documents library. In the MOSDALReport.zip file, open the DataCollectionADFS folder, and then open the AdfsDiagnostics.txt file.

How to read the AD FS 2.0 Authentication Diagnostics report

The AD FS 2.0 Authentication Diagnostics report consists of the following four sections. We recommend that you read the report from the top down. That is, start reading the report at the first section and then continue to the next section. If the causes that are listed in one section don't offer enough info to diagnose the issue, investigate the relevant area of the next section to view more detailed info.
  • Table of Contents

    This section contains an at-a-glance analysis of the test results. It lists the following:
    • High-level tests that were run and their general results (Pass or Fail)
    • For each test that failed, the problems that could cause the failure
    • Whether the client accesses AD FS 2.0 from inside or from outside the corporate network
    • The attachment names that were collected
  • Console Output

    This section contains a more thorough breakdown of the tests that were run. If the data in the Table of Contents section doesn't provide enough detail, view the Console Output section for more granular info about the following:
    • A breakdown of the individual steps that were performed in each test that is listed in the Table of Contents section
    • Specific results of each test step (Pass or Fail)
    • For each step that failed, the problems that could cause the failure
  • Test Traces

    This section contains trace-level detail of the tests that were run. If the data in the Console Output doesn't provide enough detail, examine the Test Traces section for more-detailed info.
  • Attachments

    This section contains valuable environment state and settings data to help you analyze and determine possible causes of various failure states. Common data that is collected includes the following:
    • User-environment data that is collected from the client
    • Credentials that were used for the test
    • Organization namespace registration data that is collected from the Office 365 Metadata Exchange (MEX) document (pulled from the AD FS 2.0 service endpoint)
    • AD FS 2.0 HTTP responses
    • AD FS 2.0 Security Token responses (including Security Assertions Markup Language [SAML] claim info)
    • Microsoft Azure Active Directory (Azure AD) security token responses

How to follow up on cause suggestions

The following tables list the most common causes that are suggested in the output of the AD FS 2.0 Authentication Diagnostics report for tests and steps that failed.

Note These are only suggestions. You should investigate and verify the cause of the issue before you determine an action plan to resolve the issue.
Collapse this tableExpand this table
Test-002: Verify the Microsoft Office 365 authentication system organization namespace registration
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
The Office 365 authentication system logon URL couldn't be accessed.Azure AD authentication system is inaccessible.2707380
Microsoftonline.com couldn't be accessed.Azure AD authentication isn't resolved in DNS.2707331
There is no Username/Password authentication endpoint that is registered by using the Office 365 authentication system.Azure AD authentication system doesn't reflect AD FS 2.0 registration of the username or password endpoint.2707359
There is no valid Metadata Exchange (MEX) URL that is registered by using the Office 365 authentication system.Azure AD authentication system doesn't reflect AD FS 2.0 registration of the MEX endpoint.2707365
There is no web application logon URL that is registered by using the Office 365 authentication system.Azure AD authentication system doesn't reflect AD FS 2.0 registration of the /adfs/ls endpoint.2707358
Domain {value} isn't a federated domain.The named domain isn't registered as federated with the Azure AD authentication system.2707357
The user {value} wasn't recognized by the Office 365 authentication system.The name UserID isn't a valid identity in the Azure AD authentication system.2707367
The AD FS Token-Signing certificate isn't valid.The AD FS 2.0 registration with the Azure AD authentication system shows the AD FS 2.0 token-signing certificate as invalid.2707368
Organization namespace registration info couldn't be obtained from the Office 365 authentication system.The named domain isn't registered with the Azure AD authentication system.2707333

Collapse this tableExpand this table
Test-003: Verify that the Metadata Exchange (MEX) document can be retrieved from the Federation Server
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
There are no services in the AD FS MEX document.AD FS 2.0 MEX data isn't advertising any services.2707344
The AD FS MEX document didn't contain the SecurityTokenService section.AD FS 2.0 MEX data is corrupted.2707345
There is no security token service description in the AD FS MEX document.AD FS 2.0 MEX data is corrupted.2707346
The Windows Integrated Authentication endpoint is missing from the MEX document that is published by the federation server.AD FS 2.0 Integrated Windows Authentication endpoint is deactivated.2707356
No WS-Trust Windows endpoint is published in the MEX document.AD FS 2.0 WS-Trust endpoint is deactivated.2707339
The Username/Password authentication endpoint is missing from the MEX document that is published by the federation server proxy.AD FS 2.0 Username endpoint or AD FS 2.0 Password endpoint is deactivated.2707355
There are no endpoints in the AD FS MEX document.AD FS 2.0 MEX data isn't advertising any service endpoints.2707344
The WS-Trust endpoint for Windows Integrated Authentication in the AD FS MEX document doesn't match the endpoint that is registered by using the Office 365 authentication system.AD FS 2.0 IWA service endpoint was changed, but its registration with the Azure AD authentication system wasn't updated.2707379

Collapse this tableExpand this table
Test-004: Verify that Federation Metadata can be retrieved from the Federation Server
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
The federation metadata document couldn't be retrieved from AD FS.AD FS 2.0 federation metadata endpoint is unavailable or couldn't be contacted.2707335
The Metadata Exchange (MEX) document received from AD FS contains an unknown WS-Trust version.WS-Trust version is incorrect for Microsoft Online single sign-on (SSO).2707348

Collapse this tableExpand this table
Test-005: Verify web application logon to AD FS by using Windows Integrated Authentication (IWA for passive)
Test-006: Verify web application logon to AD FS by using Username/Password Authentication (FBA for passive)
Test-007: Verify rich client application logon by Using Username/Password Authentication (Basic for Rich)
Test-008: Verify rich client application logon by Using Windows Integrated Authentication (IWA for Rich)
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
There was an exception error during a logon attempt.A failure is encountered during AD FS 2.0 authentication.2707338
No token was received from AD FS.After authentication, AD FS 2.0 didn't issue an SAML token.2707340
The AD FS token received isn't t valid until {0}.A SAML token that appears post-dated when it's compared to the local computer clock is received from AD FS 2.0.2707376
The AD FS token has expired according to this computer's clock.The SAML token that appears expired when it's compared to the local computer clock is received from AD FS 2.0.2707377
The AD FS token validity period is too short.The AD FS 2.0 token validity period is set to less than five minutes.2707378
During an attempt to verify web application logon to AD FS, the tool unexpectedly received a Username/Password logon page from the federation server.An FBA authentication page was encountered when you connect to the AD FS 2.0 Federation service, and IWA experience was expected.2707342

Collapse this tableExpand this table
Test-009: Verify rich client application logon to Office 365 by using a token that is issued by AD FS
Test-010: Verify web application logon to Office 365 by using a token that is issued by AD FS
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
No token was received from the Office 365 authentication system.The Azure AD authentication system couldn't process the AD FS 2.0 SAML token and couldn't issue a cloud-based identity response.2707341

What it means when MOSDAL indicates no errors but SSO problems persist

Certain aspects of Office 365 client computer preparedness are emulated by the diagnostic routine. Because they are emulated by the test, the output won't fail in areas where these aspects are the cause of SSO issues. Therefore, in areas where the AD FS 2.0 diagnostic succeeds completely and where the SSO issue remains, the problem is probably related to one of the following:
  • The AD FS 2.0 Federation Service name may not be added to the Local intranet security zone in Internet Explorer.
  • If a proxy server is deployed, the AD FS 2.0 Federation Service name may not be added to the proxy bypass list.
  • The Microsoft Online Services Sign-in Assistant may not be installed on the client device.
  • Certain third-party applications require Extended Protection for Authentication to be disabled on the AD FS 2.0 Federation Service.
For more info about how to troubleshoot these issues, see the following Microsoft Knowledge Base article:
2530713 Signing in to Office 365, Azure, or Windows Intune by using single sign-on doesn't work from some devices

Additionally, the problem may be related to an issue in which the client doesn't have all the required updates for correct rich client functionality. Make sure that all Office 365 client prerequisites are met. For more info, see the following Microsoft Knowledge Base article:
2637629  How to troubleshoot non-browser apps that can’t sign in to Office 365, Azure, or Windows Intune

MORE INFORMATION

Still need help? Go to the Office 365 Community website.

Properties

Article ID: 2598459 - Last Review: July 9, 2014 - Revision: 38.0
Applies to
  • Office 365 Identity Management
Keywords: 
o365 mosdal4.5 o365a o365e kbgraphxlink o365m o365022013 kbgraphic KB2598459

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com