Outlook re-direct to Office365 for LAN clients

Hi Experts,
Switching a client over to Office365 and have everything setup I believe.
-Have local ADFS server on 2008 R2.
-Have 3rd party SSLs assigned to default website.
- Have exernal dns record for ADFS server created & accessible.
- AD is replicated successfully to cloud. Domain is active ( 2 domains but one was created when setting up account, then 2nd domain was the actual schools domain that I verified with dns record)
-Outlook anywhere has been configured on their exchange 2003 server
- firewall / ports have been configured & adjusted for ADFS/SSL
-Have volume license applied to account.
-Have run mock stage migration of mailboxes on handful of users. Migrations appear to have completed successfully.
- Office365 MX record for client is created and active but not priority yet due to not migrating all mailboxes yet (staged)
- Exchangeconnectivity test results are successful for environment

User logging into local LAN client machine, Outlook is not getting redirected to cloud, or if user attempts to login to O365 portal, you can see the redirect attempting to ADFS fqdn, but doesn't get authenticated. However outside of their LAN, on an internet connected PC, you are able to successfully login as one of the migrated users onto the O365 portal, and login to their mail, etc..

I"ve heard some talk about a proxy component w/ the Office365 but thought that was only for external users and am little confused, so looking for little hand holding to finalize this project.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ugo MenaCommented:
Sounds like you need to set up your own Autodiscover CNAME record to redirect local users to Office 365.

Use a CNAME Record to Enable Outlook to Connect:
Vasil Michev (MVP)Commented:
Your internal record for the AD FS server (farm) has to be A record as well, change it if it is a CNAME.

About the issue, does it happen for all users or only specific ones? With default IIS settings, some users might get problems when logging internally, due to the fact that they are members of too many groups. Externally they will still be able to log in. So if it affects specific users only, this might be the cause.

Give us specific errors/screenshots.
SflahertyEEAuthor Commented:
HI Experts,
@ultralites that's interesting, I hadn't heard of that. I've got the autodiscover dns record for the external MX record but that's not priority right now since we haven't migrated all the mailboxes.

But you're saying I'll need to create an internal autodiscover record for LAN clients using Outlook. So what server am I cname'ing'. Not the internal exchange server right?
I guess I'm stuck on thinking through it. So Outlook 2010 needs to redirect to the O365 cloud mailbox, and that means for the server settings in outlook i'm putting what?
Like I said, may need some hand holding on this...

@vasilcho, I'll check again but the ADFS server should be A record only internally, but I"ll check again and let you know. And right now it affects all users that I have migrated their mailbox to the cloud... so they're not redirecting to cloud so any mail sent after the migration is not going to the Xchange server only the cloud mailbox..

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

SflahertyEEAuthor Commented:
...nope that wasn't it.
Have setup cname autodiscover record and it's resolving properly and that hasn't made any difference to the clients on the lan.

There's something going on w/ the adfs server that its not authenticating locally properly....
but as i mentioned, clients unable to login to O365 via browser also. You can see adfs server called and prompt you for domain login, then hangs there....
Vasil Michev (MVP)Commented:
As I said, check your record and give us a specific error message. Look at the event logs and even collect one trace log for unsuccessful attempt. More about logging here:


Alternatively, download the MOSDAL and run the AD FS test with it. You can get it from here:

SflahertyEEAuthor Commented:
sorry for the delay in posting back, been getting pulled in several directions with several projects...

Anyway, @vasilcho, had run the MOSDAL but those were returning w/ successful and positive results so wasn't getting anything from there.

Ended up working with MS O365 techs for a few days on the issue and they were unable to figure out the exact reason as well. I had only one ADFS server w/ no plans to install farm initially but had selected the 'Farm' option during the installation as opposed to 'standalone' option during install, and they felt I should have selected the 'standalone' option as part of Best Practices...
But that being said, my AD replication was working properly so we finally decided to try to remove ADFS, remove the web directories under IIS and directories under Explorer to remove any trace of the installation and Re-Install ADFS and reconfigure. Then sync w/ the cloud and define the endpoint and convert to federated domain.
That sync appeared to go well and once reconfigured the authentication from inside and outside was working properly.
So in summary, never did pinpoint the exact issue but a clean uninstall / reinstall of ADFS appeared to resolve the issue.

Thanks for all your help, but O365 still in it's infancy and I think we may see many more of these types of issues in the short term as this starts to gain ground especially with the schools and municipalities due to pricing model.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SflahertyEEAuthor Commented:
worked w/ MS techs and they were unable to find root cause of issue however full uninstall and reinstall of adfs seemed to rectify the issue and that's what the MS Tech's wanted to try after several hours of troubleshooting over a few days....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.