- The on-premises Active Directory Federation Services (AD FS) 2.0 federation service isn't available from the public Internet.
- The Secure Sockets Layer (SSL) certificate that's used by the AD FS 2.0 endpoint is issued by a certification authority that isn't trusted by the Exchange Online data center.
Use Microsoft Remote Connectivity Analyzer to test whether the on-premises AD FS 2.0 federation service is causing Outlook logon problems for federated users. To do this, follow these steps:
- In Internet Explorer, browse to https://www.testconnectivity.microsoft.com/?testid=O365Ola.
- Type the email address and credentials, click to select the acknowledgement check box near the bottom of the page, type the verification code, and then click Perform Test. This test should be run two times. Run the test by using each of the following credentials:
- A federated account that has a mailbox in Exchange Online
- A standard user account that has a mailbox in Exchange Online
- Check the results of both tests to determine whether AD FS 2.0 is causing the Outlook sign-in issue.
a. Drill down to the following node of the Test Details tree:
Testing RPC/HTTP connectivity
- ExRCA is attempting to test Autodiscover for email@example.com
- Attempting each method of contacting the Autodiscover service
- Attempting to contact the Autodiscover service using the HTTP redirect method
- Attempting to send an Autodiscover POST request to potential Autodiscover URLs
- ExRCA is attempting to retrieve and XML Autodiscover response from URL htts://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user
b. Check whether both the following conditions are true:
If both conditions are true, you have confirmed that SSO failures are causing Outlook authentication to fail.
- The federated account can't access Autodiscover and receives an "HTTP 401 authorized response" error message.
- The standard user account can access Autodiscover.
Method 1: Expose the on-premises AD FS 2.0 federation service to the InternetSet up an AD FS 2.0 federation server proxy for the on-premises AD FS 2.0 environment (or set up a firewall reverse proxy of the AD FS 2.0 Federation Service) that supports SSO, and then publish the proxy to the Internet.
For more info about the AD FS 2.0 federation server proxy implementation, go to the following Microsoft website:
Method 2: Troubleshoot problems with the AD FS 2.0 proxy serverFor more info about how to troubleshoot AD FS 2.0 proxy server issues, see the following Microsoft Knowledge Base article:
ID článku: 2466333 – Posledná kontrola: 27. 10. 2014 – Revízia: 1