Determine the AD FS endpoint address for the on-premises federation serverTo do this, follow these steps on a domain-connected computer that has Azure Active Directory Module for Windows PowerShell installed:
- Run the Azure Active Directory Module for Windows PowerShell as an elevated admin. To do this, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
- Type the following commands. Press Enter after you type each command:
$cred = get-credentialNote When you're prompted, enter your global admin credentials.
Connect-MsolService –credential $credS
Set-MsolADFSContext -Computer <AD FS Server>Note The <AD FS Server> placeholder represents the computer name of your primary AD FS server.
Get-MSOLFederationProperty –DomainName <Federated Domain> | FLNote The <Federated Domain> placeholder represents the domain name that's federated with the cloud service.
Determine the server that's having problemsScope the issue. To do this, determine the server that's having problems. If only Internet clients are having problems, troubleshoot the AD FS Federation server proxy first. If corporate network clients are also having problems, troubleshoot the AD FS federation server first.
After you determine which server is having problems, follow these steps on the appropriate AD FS server:
Step 1: Make sure that the on-premises AD FS federation server is running
- On the AD FS federation server, open Control Panel, click Administrative Tools, and then click Services.
- Look for the AD FS Windows Service service.
- Make sure that the status of the AD FS Windows Service service is Started. If the service is stopped, right-click the service, and then click Start to start the service.
Step 2: Make sure that the web server is running on the appropriate AD FS server
- On the AD FS federation server or on the AD FS federation server proxy, open Server Manager, expand Roles, expand Web Server (IIS), and then select Internet Information Services.
- Expand your computer name, and then expand Sites.
- Make sure that Default Web Site is set to Started. If it isn't, right-click Default Web Site, point to All Tasks, and then click Start.
- Expand Default Web Site, and then make sure that the adfs and /adfs/ls virtual directories exist.
Step 3: Make sure that DNS has a host record for the AD FS endpoint that's appropriate to the client that's having problemsFor internal clients, internal DNS should resolve the AD FS endpoint name to an internal IP address (for example, sts.contoso.com A 192.168.1.104.). For Internet clients, the endpoint name should resolve to a public IP address. This can be tested on the client by using the following procedure. If the on-premises network contains a proxy server, try to add the AD FS endpoint by using Internet Options in Internet Explorer.
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type the following command, where the placeholder <STS.contoso.com> represents the AD FS endpoint name:NSlookup <STS.contoso.com>
- If the command results in an incorrect IP address, resolve the issue by updating the A record on either the internal or external DNS server. To make sure that DNS requests for AD FS resources from on-premises computers resolve to the AD FS Federation service instead of the AD FS Proxy server, see the following Microsoft Knowledge Base article to check and update the split-brain DNS settings.2715326 Split-brain DNS misconfiguration prevents seamless SSO sign-in experienceNote Updated Internet-facing DNS settings may take as long as 48 hours to propagate to all Internet DNS servers.
Step 4: Try to add the AD FS server name as an exception in the Internet proxy settings in Internet Explorer on the client computerIf the on-premises network contains a proxy, and if only internal clients are having problems with AD FS access, try to add the AD FS server name as an exception in the Internet proxy settings in Internet Explorer. To do this, follow these steps on the client computer:
- Open Internet Explorer, and then click Internet Options on the Tools menu.
- Click the Connections tab, and then click LAN Settings.
- Under Automatic configuration, click to clear the check boxes, and then click to select the Use a proxy server for your LAN check box under Proxy server.
- Under Proxy server, add the proxy server address and the port that the proxy server uses, and then click Advanced.
- Under Exceptions, add your AD FS endpoint (for example, sts.contoso.com).