Error message after you run the MOSDAL Support Toolkit: "The WS-Trust endpoint for Windows Integrated Authentication in the AD FS Metadata Exchange (MEX) document does not match the one registered"

Article translations Article translations
Article ID: 2707379 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

After you run the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit, the Active Directory Federation Services (AD FS) diagnostics log contains the following error message:

The WS-Trust endpoint for Windows Integrated Authentication in the AD FS Metadata Exchange (MEX) document does not match the one registered with the Microsoft Office 365 authentication system.

Note This log is located at Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt.

Additionally, you may notice the following behavior when you sign in to your Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune, by using a federated account:
You receive the following error message when you connect to the AD FS service:
"There was a problem accessing this site"

CAUSE

This issue may occur if one of the following conditions is true:
  • The windowstransport and usernamemixed service endpoints may be disabled in the on-premises AD FS Federation service.
  • The windowstransport and usernamemixed service endpoints are enabled in the on-premises AD FS Federation service. But these service endpoints were disabled the last time that the update-MSOLFederatedDomain cmdlet was run to update the cloud service with AD FS configuration data. To determine whether AD FS metadata isn't updated correctly, see the "Cause" section in the following Microsoft Knowledge Base article:
    2647020 "Sorry, but we're having trouble signing you in" and "80041317" or "80043431" error when a federated user tries to sign in to Office 365, Azure, or Windows Intune 

SOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Reset the AD FS service endpoints to the default configuration

For information about how to make sure that the AD FS service endpoints are set up to support single sign-on (SSO) authentication, see the following Microsoft Knowledge Base article:
2712957 Sign in to Office 365, Azure, or Windows Intune fails after you change the federation service endpoint   

Method 2: Make sure that the AD FS service endpoint configuration is updated to Azure AD

For information about how to make sure that the AD FS service endpoint configuration metadata is updated to the Azure Active Directory (Azure AD), see the "How to update the configuration of the Office 365 federated domain" section of the following article:  
2647048 How to update or repair the settings of a federated domain in Office 365, Azure, or Windows Intune

MORE INFORMATION

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2707379 - Last Review: July 9, 2014 - Revision: 21.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a mosdal4.5 o365022013 o365e o365m KB2707379

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com