How to troubleshoot the AD FS 2.0 connection

Article ID: 2712961 - View products that this article applies to.

Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
(http://office.microsoft.com/redir/HA103982331.aspx)
Expand all | Collapse all

PROBLEM

When you sign in to Office 365 by using a single sign-on (SSO)-enabled user ID, the connection to the Active Directory Federation Services (AD FS) 2.0 service fails only when you try to do the following:
  • Connect from a remote Internet location
  • Use email connections to sign in
This situation also causes SSO testing that the Remote Connectivity Analyzer conducts to fail.

For more information about how to run the Remote Connectivity Analyzer to test SSO authentication in Office 365, see the following articles in the Microsoft Knowledge Base:  
2650717
(http://support.microsoft.com/kb/2650717/ )
How to diagnose single sign-on (SSO) logon issues in Office 365 by using Remote Connectivity Analyzer
2466333
(http://support.microsoft.com/kb/2466333/ )
 Federated users can't connect to an Exchange Online mailbox  
Back to the top | Give Feedback

CAUSE

These failures can occur if the AD FS 2.0 service isn't exposed correctly to the Internet. Typically, the AD FS 2.0 proxy server is used for this purpose, and problems with the AD FS 2.0 proxy server will cause these symptoms. Common problems include the following:
  • Expired SSL certificate that's assigned to the AD FS 2.0 proxy server

    Frequently, the same SSL certificate is used to help secure communication (HTTPS) for both the AD FS 2.0 Federation Service and the AD FS 2.0 proxy server. When this certificate becomes expired and the certificate is renewed or updated on the AD FS 2.0 Federation Service farm, the SSL certificate must also be updated on all AD FS 2.0 proxy servers. If the AD FS 2.0 proxy server SSL certificate isn't updated in this case, Internet connections to the AD FS service may fail, even though the AD FS 2.0 Federation Service is healthy.
  • Incorrect configuration of IIS authentication endpoints

    The role of the AD FS 2.0 proxy server is to receive Internet communication that's directed at AD FS and to relay that communication to the AD FS 2.0 Federation Service. Therefore, it's important for the IIS authentication setting of the AD FS 2.0 Federation Service and proxy server to be complementary. When the AD FS 2.0 proxy server IIS authentication settings aren't set to complement the AD FS 2.0 Federation Service IIS authentication settings, sign-in may fail or may generate multiple, unexpected prompts.
  • Broken trust between the AD FS 2.0 proxy server and the AD FS 2.0 Federation Service

    The AD FS 2.0 proxy service is designed to be installed on a non-domain joined computer. Therefore, the communication between the AD FS 2.0 proxy server and the AD FS 2.0 Federation Service can't be based on an Active Directory trust or credentials. Instead, the communication between these two server roles is established by using a token that is issued to the AD FS 2.0 proxy server by the AD FS 2.0 Federation Service and signed by the AD FS token-signing certificate. When this trust is expired or invalid, the AD FS 2.0 Proxy Service can't relay AD FS requests, and the trust must be rebuilt to restore functionality.  
Back to the top | Give Feedback

SOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation. on all malfunctioning AD FS 2.0 proxy servers.

Method 1: Fix AD FS 2.0 SSL certificate issues on the AD FS 2.0 server

To do this, follow these steps:
  1. Troubleshoot SSL certificate problems on the AD FS 2.0 Federation Service (not the Proxy Service) by using the following Microsoft Knowledge Base article:
    2523494
    (http://support.microsoft.com/kb/2523494/ )
     You receive a certificate warning from AD FS 2.0 when you access Office 365 web resources by using a federated account  
  2. If the AD FS 2.0 Federation Service SSL certificate is functioning correctly, update the SSL certificate on the AD FS 2.0 proxy server by using the certificate export and import functions. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    179380
    (http://support.microsoft.com/kb/179380/ )
    How to remove, import, and export digital certificates

Method 2: Reset the AD FS 2.0 proxy server IIS authentication settings to default

To do this, follow the steps that are described in Resolution 1 of the following Microsoft Knowledge Base article for the AD FS 2.0 proxy server:
2461628
(http://support.microsoft.com/kb/2461628/ )
 A federated user is repeatedly prompted for credentials when he or she connects to the AD FS 2.0 service endpoint during Office 365 sign-in  

Method 3: Rerun the AD FS 2.0 Proxy Configuration wizard

To do this, rerun the AD FS 2.0 Federation Server Proxy Configuration Wizard from the Administrative Tools interface of all affected AD FS 2.0 proxy servers.

Note It is usual to receive a warning from the "Deploy browser sign-in Web site" step when you rerun the configuration wizard. This isn't an indication that the wizard did not rebuild the trust between the AD FS 2.0 proxy server and the AD FS 2.0 Federation Service.

Back to the top | Give Feedback

MORE INFORMATION

For more information about how to expose the AD FS 2.0 service to the Internet by using an AD FS 2.0 proxy server, go to the following Microsoft website:
Plan for and deploy AD FS 2.0 for use with single sign-on
(http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx#bk_deployfsp)
Back to the top | Give Feedback

Still need help? Go to the Office 365 Community
(http://community.office365.com/)
website.
Back to the top | Give Feedback

Properties

Article ID: 2712961 - Last Review: May 15, 2013 - Revision: 7.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Windows Azure Active Directory
Keywords: 
o365 o365a mosdal4.5 o365022013 after upgrade o365062011 pre-upgrade o365e o365m KB2712961
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top