Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to troubleshoot the AD FS 2.0 connection
Article ID: 2712961 - View products that this article applies to.
Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
When you sign in to Office 365 by using a single sign-on (SSO)-enabled user ID, the connection to the Active Directory Federation Services (AD FS) 2.0 service fails only when you try to do the following:
For more information about how to run the Remote Connectivity Analyzer to test SSO authentication in Office 365, see the following articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/2650717/ )How to diagnose single sign-on (SSO) logon issues in Office 365 by using Remote Connectivity Analyzer
(http://support.microsoft.com/kb/2466333/ )Federated users can't connect to an Exchange Online mailbox
These failures can occur if the AD FS 2.0 service isn't exposed correctly to the Internet. Typically, the AD FS 2.0 proxy server is used for this purpose, and problems with the AD FS 2.0 proxy server will cause these symptoms. Common problems include the following:
To resolve this issue, use one of the following methods, as appropriate for your situation. on all malfunctioning AD FS 2.0 proxy servers.
Method 1: Fix AD FS 2.0 SSL certificate issues on the AD FS 2.0 serverTo do this, follow these steps:
Method 2: Reset the AD FS 2.0 proxy server IIS authentication settings to defaultTo do this, follow the steps that are described in Resolution 1 of the following Microsoft Knowledge Base article for the AD FS 2.0 proxy server:
(http://support.microsoft.com/kb/2461628/ )A federated user is repeatedly prompted for credentials when he or she connects to the AD FS 2.0 service endpoint during Office 365 sign-in
Method 3: Rerun the AD FS 2.0 Proxy Configuration wizardTo do this, rerun the AD FS 2.0 Federation Server Proxy Configuration Wizard from the Administrative Tools interface of all affected AD FS 2.0 proxy servers.
Note It is usual to receive a warning from the "Deploy browser sign-in Web site" step when you rerun the configuration wizard. This isn't an indication that the wizard did not rebuild the trust between the AD FS 2.0 proxy server and the AD FS 2.0 Federation Service.
For more information about how to expose the AD FS 2.0 service to the Internet by using an AD FS 2.0 proxy server, go to the following Microsoft website:
Plan for and deploy AD FS 2.0 for use with single sign-on
Still need help? Go to the Office 365 Community
Article ID: 2712961 - Last Review: May 15, 2013 - Revision: 7.0