Article ID: 2707356 - View products that this article applies to.
After you run the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit, the Active Directory Federation Services (AD FS) diagnostics log contains the following error message:
Note This log located at \Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt.
The Windows Integrated Authentication endpoint is missing from the Metadata Exchange (MEX) document that is published by the federation server.
Additionally, you may notice the following behavior when you sign in to your Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune by using a federated account:
Rich client application authentication fails when it tries to access services from an on-premises Active Directory Domain Services-connected client computer.
This issue may occur if the windowstransport and usernamemixed service endpoints are disabled in the on-premises AD FS Federation service.
To resolve this issue, make sure that the AD FS service endpoints are set to support single sign-on (SSO) authentication. For more information about how to do this, see the following Microsoft Knowledge Base article:
2712957After you update the service endpoints, make sure that the AD FS service endpoint configuration metadata is updated to the Azure Active Directory (Azure AD) authentication system. For more information about how to do this, see the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/2712957/ )Sign in to Office 365, Azure, or Windows Intune fails after you change the federation service endpoint
(http://support.microsoft.com/kb/2647048/ )How to update or repair the settings of a federated domain in Office 365, Azure, or Windows Intune
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2707356 - Last Review: July 9, 2014 - Revision: 18.0