When users sign in to a Microsoft cloud service such as Office 365, Windows Intune, or Windows Azure by using a federated user account, the connection to the Active Directory Federation Services (AD FS) service fails only when users try to do the following:
- Connect from a remote Internet location
- Use email connections to sign in
This situation also causes SSO testing that the Remote Connectivity Analyzer conducts to fail.
For more information about how to run the Remote Connectivity Analyzer to test SSO authentication in Office 365, see the following articles in the Microsoft Knowledge Base:
How to diagnose single sign-on (SSO) logon issues in Office 365 by using Remote Connectivity Analyzer
Federated users can't connect to an Exchange Online mailbox
These failures can occur if the AD FS service isn't exposed correctly to the Internet. Typically, the AD FS proxy server is used for this purpose, and problems with the AD FS proxy server will cause these symptoms. Common problems include the following:
- Expired SSL certificate that's assigned to the AD FS proxy server
Frequently, the same SSL certificate is used to help secure communication (HTTPS) for both the AD FS Federation Service and the AD FS proxy server. When this certificate becomes expired and the certificate is renewed or updated on the AD FS Federation Service farm, the SSL certificate must also be updated on all AD FS proxy servers. If the AD FS proxy server SSL certificate isn't updated in this case, Internet connections to the AD FS service may fail, even though the AD FS Federation Service is healthy.
- Incorrect configuration of IIS authentication endpoints
The role of the AD FS proxy server is to receive Internet communication that's directed at AD FS and to relay that communication to the AD FS Federation Service. Therefore, it's important for the IIS authentication setting of the AD FS Federation Service and proxy server to be complementary. When the AD FS proxy server IIS authentication settings aren't set to complement the AD FS Federation Service IIS authentication settings, sign-in may fail or may generate multiple, unexpected prompts.
- Broken trust between the AD FS proxy server and the AD FS Federation Service
The AD FS proxy service is designed to be installed on a non-domain joined computer. Therefore, the communication between the AD FS proxy server and the AD FS Federation Service can't be based on an Active Directory trust or credentials. Instead, the communication between these two server roles is established by using a token that is issued to the AD FS proxy server by the AD FS Federation Service and signed by the AD FS token-signing certificate. When this trust is expired or invalid, the AD FS Proxy Service can't relay AD FS requests, and the trust must be rebuilt to restore functionality.
To resolve this issue, use one of the following methods, as appropriate for your situation, on all malfunctioning AD FS proxy servers.
Method 1: Fix AD FS SSL certificate issues on the AD FS server
To do this, follow these steps:
- Troubleshoot SSL certificate problems on the AD FS Federation Service (not the Proxy Service) by using the following Microsoft Knowledge Base article:
You receive a certificate warning from AD FS when you access Office 365 web resources by using a federated account
- If the AD FS Federation Service SSL certificate is functioning correctly, update the SSL certificate on the AD FS proxy server by using the certificate export and import functions. For more info, see the following Microsoft Knowledge Base article:
How to remove, import, and export digital certificates
Method 2: Reset the AD FS proxy server IIS authentication settings to default
To do this, follow the steps that are described in Resolution 1 of the following Microsoft Knowledge Base article for the AD FS proxy server:
A federated user is repeatedly prompted for credentials during sign-in to Office 365
Method 3: Rerun the AD FS Proxy Configuration wizard
To do this, rerun the AD FS Federation Server Proxy Configuration Wizard from the Administrative Tools interface of all affected AD FS proxy servers.Note
It's usual to receive a warning from the "Deploy browser sign-in Web site" step when you rerun the configuration wizard. This isn't an indication that the wizard did not rebuild the trust between the AD FS proxy server and the AD FS Federation Service.
For more info about how to expose the AD FS service to the Internet by using an AD FS proxy server, go to the following Microsoft website:
Still need help? Go to the Office 365 Community
website or the Windows Azure Active Directory Forums
Article ID: 2712961 - Last Review: December 3, 2013 - Revision: 14.0
- Windows Azure
- Microsoft Office 365
- Microsoft Office 365 for enterprises (pre-upgrade)
- Microsoft Office 365 for education (pre-upgrade)
- CRM Online via Office 365 E Plans
- Windows Azure Recovery Services
|o365 o365a mosdal4.5 o365022013 after upgrade o365062011 pre-upgrade o365e o365m KB2712961|