How to update or repair the settings of a federated domain in Office 365, Azure, or Windows Intune

Article translations Article translations
Article ID: 2647048 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

Single sign-on (SSO) in a Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune depends on an on-premises deployment of Active Directory Federation Services (AD FS) that functions correctly. Several scenarios require rebuilding the configuration of the federated domain in AD FS to correct technical problems. This article contains step-by-step guidance on how to update or to repair the configuration of the federated domain.

MORE INFORMATION

How to update the configuration of the federated domain

The configuration of the federated domain has to be updated in the scenarios that are described in the following Microsoft Knowledge Base articles.
  • 2713898 "There was a problem accessing the site" error from AD FS when a federated user signs in to Office 365, Azure, or Windows Intune 
  • 2535191""Sorry, but we're having trouble signing you in" and "80048163" error when a federated user tries to sign in to Office 365, Azure, or Windows Intune 
  • 2647020  "Sorry, but we're having trouble signing you in" and "80041317" or "80043431" error when a federated user tries to sign in to Office 365, Azure, or Windows Intune 
  • 2707329 "Metadata Exchange (MEX) address for AD FS could not be accessed" error after you run the MOSDAL Support Toolkit
  • 2707335 Error message after you run the MOSDAL Support Toolkit: "The federation metadata document could not be retrieved from AD FS"
  • 2707336 Error message after you run the MOSDAL Support Toolkit: "There was no response from the federation server when the tool attempted to retrieve a Metadata Exchange (MEX) document"
  • 2707338 Error message after you run the MOSDAL Support Toolkit: "There was an exception error during a login attempt"
  • 2707339 Error message after you run the MOSDAL Support Toolkit: "No WS-Trust Windows endpoint is published in the Metadata Exchange (MEX) document"
  • 2707341 Error message after you run the MOSDAL Support Toolkit: "No token was received from the Microsoft Office 365 authentication system"
  • 2707347 "No endpoints in the AD FS Metadata Exchange (MEX) document" error after you run the MOSDAL Support Toolkit
  • 2707355 Error message after you run the MOSDAL Support Toolkit: "The Username/Password authentication endpoint is missing from the Metadata Exchange (MEX) document"
  • 2707356 Error message after you run the MOSDAL Support Toolkit: "The Windows Integrated Authentication endpoint is missing from the Metadata Exchange (MEX) document that is published by the federation server"
  • 2707358 Error message after you run the MOSDAL Support Toolkit: "There is no Web application login URL registered with the Microsoft Office 365 authentication system"
  • 2707359 Error message after you run the MOSDAL Support Toolkit: "There is no Username/Password authentication endpoint registered with the Microsoft Office 365 authentication system"
  • 2707365 Error message after you run the MOSDAL Support Toolkit: "There is no valid Metadata Exchange (MEX) URL registered with the Microsoft Office 365 authentication system."
  • 2707368 "AD FS Token-Signing certificate is not valid" error after you run the MOSDAL Support Toolkit
  • 2707369 "AD FS Token-Signing certificate found in a token does not match the certificate registered" error after you run the MOSDAL Support Toolkit
  • 2707379 Error message after you run the MOSDAL Support Toolkit: "The WS-Trust endpoint for Windows Integrated Authentication in the AD FS Metadata Exchange (MEX) document does not match the one registered"
  • 2748507 Single sign-on (SSO) authentication for other SSO-enabled domains stops working after you run the convert-MSOLDomainToStandard cmdlet
To update the configuration of the federated domain on a domain-joined computer that has Azure Active Directory Module for Windows PowerShell installed, follow these steps:
  1. Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
  2. At the command prompt, type the following commands, and press Enter after each command:
    1. $cred = get-credential
      Note When you're prompted, enter your cloud service administrator credentials.
    2. Connect-MSOLService –credential:$cred
    3. Set-MSOLADFSContext –Computer:<AD FS 2.0 ServerName>
      Note In this command, the placeholder <AD FS 2.0 Server Name> represents the Windows host name of the primary AD FS server.
    4. Update-MSOLFederatedDomain –DomainName:<Federated Domain Name>
      or
      Update-MSOLFederatedDomain –DomainName:<Federated Domain Name> –supportmultipledomains
      Notes Using the –supportmultipledomains switch is required when multiple top-level domains are federated by using the same AD FS federation service.

      In these commands, the placeholder <Federated Domain Name> represents the name of the domain that is already federated.
Important A script is available to automate the update of federation metadata regularly to make sure that changes to the AD FS token signing certificate are replicated correctly.

The script creates a Windows scheduled task on the primary AD FS server to make sure that changes to the AD FS configuration such as trust info, signing certificate updates, and so on are propagated regularly to the Azure Active Directory (Azure AD).

If the token-signing certificate is automatically renewed in an environment where the script is implemented, the script will update the cloud trust info to prevent downtime that is caused by out-of-date cloud certificate info. A step-by-step deployment procedure is located at the following Microsoft website:
Set up a scheduled task to automatically update Office 365 when a change is made to the token signing certificate

How to repair the configuration of the federated domain

The configuration of the federated domain has to be repaired in the scenarios that are described in the following Microsoft Knowledge Base articles.
  • 2523494  You receive a certificate warning from AD FS when you try to sign in to Office 365, Azure, or Windows Intune 
  • 2618887  "Federation service identifier specified in the AD FS 2.0 server is already in use." error when you try to set up another federated domain in Office 365, Azure, or Windows Intune
  • 2713898  "There was a problem accessing the site" error from AD FS when a federated user signs in to Office 365, Azure, or Windows Intune  
  • 2647020 "Your organization could not sign you in to this service" error and "80041317" or "80043431" error code when a federated user tries to sign in to Office 365
  • 2707348 "Metadata Exchange (MEX) document received from AD FS contains an unknown WS-Trust version" error after you run the MOSDAL Support Toolkit
  • The Federation Service name in AD FS is changed. For more info, go to the following Microsoft website:
    AD FS 2.0: How to Change the Federation Service Name
To repair the federated domain configuration on a domain-joined computer that has Azure Active Directory Module for Windows PowerShell installed, follow these steps.

Warnings
  • The following procedure removes any customizations that are created by limiting access to Office 365 services by using the location of the client. After the configuration of the federated domain is repaired, you may have to reconfigure limited AD FS access.
  • The following steps should be planned carefully. Users for whom the SSO functionality is enabled in the federated domain will be unable to authenticate during this operation from the completion of step 4 until the completion of step 5. If the update-MSOLFederatedDomain cmdlet test in step 1 is not followed successfully, step 5 will not finish correctly. Federated users will be unable to authenticate until the update-MSOLFederatedDomain cmdlet can be run successfully.
  1. Run the steps in the "How to update the federated domain configuration" section earlier in this article to make sure that the update-MSOLFederatedDomain cmdlet finished successfully.
    • If the cmdlet did not finish successfully, do not continue with this procedure. Instead, see the "Known issues that you may encounter when you update or repair a federated domain" section later in this article to troubleshoot the issue.
    • If the cmdlet finishes successfully, leave the Command Prompt window open for later use.
  2. Log on to the AD FS server. To do this, click Start, point to All Programs, point to Administrative Tools, and then click AD FS (2.0) Management.
  3. In the left navigation pane, click AD FS (2.0), click Trust Relationships, and then click Relying Party Trusts.
  4. In the rightmost pane, delete the Microsoft Office 365 Identity Platform entry.
  5. In the Windows PowerShell window that you opened in step 1, re-create the deleted trust object. To do this, run the following command, and then press Enter:
    Update-MSOLFederatedDomain -DomainName <Federated Domain Name>
    or
    Update-MSOLFederatedDomain –DomainName:<Federated Domain Name> –supportmultipledomains
    Notes

    Using the –supportmultipledomains switch is required when multiple top-level domains are federated by using the same AD FS federation service.

    In these commands, the placeholder <Federated Domain Name> represents the name of the domain that is already federated.

Known issues that you may encounter when you update or repair a federated domain

The following scenarios cause problems when you update or repair a federated domain:
  • You can't connect by using Windows PowerShell. For more info about this issue, see the following Microsoft Knowledge Base article:
    2494043  You cannot connect by using the Azure Active Directory Module for Windows PowerShell
  • The Azure Active Directory Module for Windows PowerShell can't load because of missing prerequisites. For more info, see the following Microsoft Knowledge Base article:  
    2461873  You can't open the Azure Active Directory Module for Windows PowerShell 
  • You get an "Access Denied" error message when you try to run the set-MSOLADFSContext cmdlet. For more info, see the following Microsoft Knowledge Base article:
    2587730 "The connection to <ServerName> Active Directory Federation Services 2.0 server failed" error when you use the Set-MsolADFSContext cmdlet
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2647048 - Last Review: July 9, 2014 - Revision: 34.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a o365022013 o365e o365m KB2647048

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com