ADFS 2.0 and Office365 SSO Authentication Issue

We are having an issue with ADFS and Office365 SSO authenticating users. The Microsoft remote connectivity analyzer reports everything is fine. I followed the guides that outlined setting up ADFS and all the pre-reqs. The step that I was unable to complete is the DirSync tool and to enable AD sync in the Office365 portal. This is due to the SSO being implemented and I was unable to log back in to complete this since the federation had been set up and now I can no longer login to the portal with my credentials (due to not being able to authenticate). I have contacted Microsoft and their solution is to break the federation between the two. I feel as if we are close but there is something that is not happening.

From inside the network when logged in as a user, the SSO agent is installed and when it attempts to sign in, it says "Sorry, but we're having trouble signing you in" and then an error code of 8004789A. I installed a hotfix that related to ADFS and this particular error code but that did not help.

Any suggestions would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
at my last place we started having similar issues with ADFS
we ended up getting rid of it and putting in azure password sync so no need for ADFS and no longer redirects to internal portal for login
AceofTechsAuthor Commented:
I would look into it further, but it states that "It is important to note that this feature does not provide a Single Sign-On (SSO) solution because there is no token sharing / exchange in the Password Sync based process." This is the end goal that we are trying to achieve.
Vasil Michev (MVP)Commented:
Do you have at least one non-federated Office 365 global admin account? Perhaps the default one you created when you signed for the service? Should be Another option is to use an GA account from different, non-federated domain you might have verified with O365.

You need to use this account to enable dirsync and (preferably) disable SSO until all account have been synced. In order to be able to login with a federated account, the said account needs to be created in the Office 365 AD as well (or Azure AD as they call it now) and linked to the on-prem one (via the ImmutableID attribute). If you have not used dirsync before, this means that there is no link between the on-prem account and the Office 365 one. You can have perfectly working AD FS, but you will still be unable to login in such case.

If you do not have any such account, tell this to Microsoft ASAP, they can provide you with a new GA account after ID check.

The error/hotfix you are referring to describes issue with the default claim rule and federated subdomains, which is a secondary topic you should address after sorting the dirsync issue.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

AceofTechsAuthor Commented:

According to Microsoft (this was when I was in touch with them earlier today) there is no global admin account. I thought the same thing and figured I could login with that account but they say it is no longer there or at least not able to administer the portal. I am currently on hold with them now and have an open case trying to obtain the account information. I am also in the process of the setting up the dirsync tool and once that is finished, simply enable the directory sync option from the portal (which I cannot do, but maybe Microsoft can?)

Thank you for your reply, I am working on getting the account info or setting up a new one to get this taken care of.
Vasil Michev (MVP)Commented:
They will not make any change on your behalf.

They have a procedure to elevate a normal account to GA one in cases like this one, and they are taking data loss scenarios very seriously. Well, the vendor you are getting the support from might have some other ideas about this, so make sure you don't give into any BS. If they give you hard time, use the magic words "data loss", "no one in the company can access email" or ask to be transferred to the GATE team.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AceofTechsAuthor Commented:
That is good to know, I have seen so far that they will not be easy to deal with in that regard. I am taking note of the magic words and at the first sign of resistance I will let them know. Thanks again for your assistance, I will post back here with any updates I may have.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.