Error message after you run the MOSDAL Support Toolkit: "The federation metadata document could not be retrieved from AD FS"

Article translations Article translations
Article ID: 2707335 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

After you run the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit, the Active Directory Federation Services (AD FS) diagnostics log contains the following error message:

The federation metadata document could not be retrieved from AD FS.

Note The AD FS diagnostics log is located at \Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt.

CAUSE

This issue may occur if one of the following conditions is true:
  • AD FS Federation or Proxy services are unavailable.
  • There is a Secure Sockets Layer (SSL) certificate issue.
  • The Federation Metadata service endpoint may be disabled in the on-premises AD FS Federation service.

SOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Troubleshoot AD FS service availability issues

To investigate and resolve service availability issues with the AD FS service, see the following Microsoft Knowledge Base articles:  
2419389 Internet browser can't display the AD FS webpage when a federated user tries to sign in to Office 365, Azure, or Windows Intune 

2712961 How to troubleshoot AD FS endpoint connection issues when users sign in to Office 365, Windows Intune, or Azure  

Method 2: Troubleshoot AD FS communication SSL certificate problems

To investigate and resolve service SSL certificate issues with the AD FS service, see the following Microsoft Knowledge Base article:
2523494 You receive a certificate warning from AD FS when you try to sign in to Office 365, Azure, or Windows Intune  

Method 3: Reset the AD FS service endpoints to the default configuration

To make sure that the AD FS service endpoints are set up to support single sign-on (SSO) authentication, see the following Microsoft Knowledge Base article:  
2712957 Sign in to Office 365, Azure, or Windows Intune fails after you change the federation service endpoint  
As soon as the AD FS service endpoints are updated, it's important to also sync the AD FS service metadata to Azure Active Directory (Azure AD). To do this, use the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:  
2647048 How to update or repair the settings of a federated domain in Office 365, Azure, or Windows Intune  

MORE INFORMATION

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2707335 - Last Review: July 9, 2014 - Revision: 21.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a mosdal4.5 o365022013 o365e o365m KB2707335

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com