How to diagnose single sign-on (SSO) logon issues in Office 365 by using Remote Connectivity Analyzer

This article describes how to diagnose single sign-on (SSO) logon issues in Microsoft Office 365 by using Microsoft Remote Connectivity Analyzer. It also contains information about causes of common SSO failures and lists links to resources for how to troubleshoot the issue.

Remote Connectivity Analyzer is a free connectivity test platform for the cloud-based service. It tests the availability of the required Office 365 SSO service endpoint for expected behavior by acting on those services from the Internet.

The data flow of any Office 365 SSO communication is predictable. The expected data flow pattern can be compared to or contrasted with a capture of the actual data flow that occurs during a failing SSO attempt to determine what might be wrong with the process. The Active Directory Federation Services (AD FS) 2.0 Authentication Diagnostic part of the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit also performs this capture and comparison and can be used in concert with Remote Connectivity Analyzer to diagnose Office 365 SSO issues.

How to run Remote Connectivity Analyzer to test SSO authentication in Office 365

To run Remote Connectivity Analyzer to test SSO authentication in Office 365, follow these steps:

1. Open a web browser, and then browse to https://testexchangeconnectivity.com
   (https://testexchangeconnectivity.com/)
   .
2. Click the Office 365 tab, click Microsoft Single Sign-On, and then click Next.
   
   
   Collapse this imageExpand this image

   
3. Type your user ID and the password, click to select the security acknowledgement check box, type the verification code, and then click Perform Test.
   
   Notes
   • Your user ID is your user principal name (UPN).
   • You must enter the actual credentials that are associated with the Office 365 SSO implementation that you're testing.
   
   
   Collapse this imageExpand this image

   
4. If the connectivity test isn't completed successfully, expand the Test Details result tree by following the error icons to identify the first error that the test encountered. For any error state that's detected, expand the test result tree to the specific error, and then click Tell me more about this issue and how to resolve.
   
   The following table lists causes of common SSO failures and resources that you can use to help resolve the issue.
   Collapse this tableExpand this table

   Test	Common cause and failure sources	Description	Possible resolutions
   Attempting to retrieve domain registration and to validate federation status information for user Analyzing the domain registration received for user	An error was found in the domain registration.	This indicates that the domain that's used as the user's UPN suffix hasn't been federated with Office 365.	Federate the UPN suffix domain. For more information about how to do this, visit the following Microsoft website: Configure single sign-on (http://technet.microsoft.com/en-us/library/hh967628) Troubleshoot domain federation and user account problems. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2530590 (http://support.microsoft.com/kb/2530590 / ) How to troubleshoot single sign-on (SSO) user account issues in the Office 365 environment Update the user's UPN to use the correct federated domain suffix. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2392130 (http://support.microsoft.com/kb/2392130/ ) Troubleshoot Active Directory user accounts that are piloted as Office 365 SSO-enabled user IDs
   Attempting to resolve the host name fed.contoso.com in DNS	The host name couldn't be resolved.	Public DNS resolution of AD FS 2.0 service endpoint is failing.	For more information about how to troubleshoot this issue, click the following article number to view the article in the Microsoft Knowledge Base: 2530569 (http://support.microsoft.com/kb/2530569/ )  Troubleshoot single sign-on setup in Office 365 For more information about the limitations of not exposing AD FS 2.0, click the following article number to view the article in the Microsoft Knowledge Base: 2510193 (http://support.microsoft.com/kb/2510193/ ) Implications of using AD FS 2.0 to implement single sign-on in Office 365
   Testing TCP port 443 on host sts.contoso.com to make sure that it is listening and opened	The specified port is blocked, not listening, or not producing the expected response.	One or more of the services on which AD FS 2.0 response relies stopped, were stopped, or are unavailable in some way.	Restart the services. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2419389 (http://support.microsoft.com/kb/2419389/ ) Internet browser cannot display the AD FS 2.0 webpage when a federated user tries to sign in to Office 365 web resources Investigate a possible AD FS 2.0 memory leak. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2254265 (http://support.microsoft.com/kb/2254265 / ) The "500" error code is returned when you send an HTTP SOAP request to the "/adfs/services/trust/mex" endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008 Investigate firewall-published AD FS 2.0 service problems. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: 2535789 (http://support.microsoft.com/kb/2535789/ ) Internet-based client computers can't authenticate after you set up Active Directory Federation Services (AD FS) in a "firewall-published" configuration 2712961 (http://support.microsoft.com/kb/2712961/ ) How to troubleshoot the AD FS 2.0 connection
   Retrieving AD FS metadata information from metadata exchange URL: https://fed.contoso.com/adfs/services/trust/mex	ExRCA couldn't retrieve AD FS metadata.	One or more of the services on which AD FS 2.0 response relies stopped, was stopped, or is unavailable in some way.	Restart the services. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2419389 (http://support.microsoft.com/kb/2419389/ ) Internet browser cannot display the AD FS 2.0 webpage when a federated user tries to sign in to Office 365 web resources Investigate problems with the AD FS 2.0 proxy server. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2712961 (http://support.microsoft.com/kb/2712961/ ) How to troubleshoot the AD FS 2.0 connection Investigate a possible AD FS 2.0 memory leak. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2254265 (http://support.microsoft.com/kb/2254265 / ) The "500" error code is returned when you send an HTTP SOAP request to the "/adfs/services/trust/mex" endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008 Investigate firewall-published AD FS 2.0 service problems. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2535789 (http://support.microsoft.com/kb/2535789/ ) Internet-based client computers can't authenticate after you set up Active Directory Federation Services (AD FS) in a "firewall-published" configuration
   Validating the certificate name	Certificate name validation failed.	Problems with the SSL certificate are limiting AD FS 2.0 authentication.	Troubleshoot the problems by using SSL certificate. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2523494 (http://support.microsoft.com/kb/2523494/ ) You receive a certificate warning from AD FS 2.0 when you access Office 365 web resources by using a federated account
   Certificate Trust is being verified.	Certificate trust validation failed.	Problems with the SSL certificate are limiting AD FS 2.0 authentication.	Troubleshoot the problems by using SSL certificate. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2523494 (http://support.microsoft.com/kb/2523494/ ) You receive a certificate warning from AD FS 2.0 when you access Office 365 web resources by using a federated account
   ExRCA is attempting to authenticate to the security token service at https://sts.contoso.com/adfs/services/trust/2005/usernamemixed	A SOAP fault response was received from the Security Token service. A web exception occurred because an HTTP 503 - Service Unavailable response was received from Unknown.	The authentication to AD FS 2.0 endpoints by using Office 365 federation trust is malfunctioning.	Check and rebuild the federation trust. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2647020 (http://support.microsoft.com/kb/2647020/ ) "Your organization could not sign you in to this service" error and "80041317" or "80043431" error code when a federated user tries to sign in to Office 365 Check and repair the token-signing certificate problems. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2383983 (http://support.microsoft.com/kb/2383983/ ) Error message from AD FS 2.0 when a federated user signs in to Office 365: "There was a problem accessing the site.”

Still need help? Go to the Office 365 Community website.