Link to home
Start Free TrialLog in
Avatar of kirk_shaw
kirk_shaw

asked on

Office 365 SSO Problems - URL points to internal and old server

We have an issue with Office 365 and SSO.

Background:
I have just taken over the IT at a company and one of my first tasks was to sort out the issue of failed Office 365 SSO sign on as the company wishes to migrate to Exchange Online eventually. ADFS 2.0 and SSO with office365 was previously attempted on another server (domain controller - Server 2008 R2).  The synchronisation with Office 365 and AD worked as DirSync was installed and configured. However, when login was attempted to Office 365, it would detect the SSO and try to direct you to the internal domain controller and prompt for a password. No matter what password was attempted it was rejected.

After the failure, the previous person uninstalled everything on the domain controller to do with the Office 365 SSO (dirsync, adfs, Azure AD Connect, Azure AD Module for Powershell.

I have since installed adfs 3 on a WIndows Server with 2012 R2 on the network. Obtained the correct ssl certificate and installed it into adfs, converted successfully to federated and established the relying party trusts. However, when login is attempted on Office 365, it diverts to the server adfs 2.0 was previously installed on  with the internal fqdn of the server.

Also as a result of this failed attempt at SSO previously, the login used to access azure, keeps diverting to the internal fqdn of the previouslly installed server, so as a result, I cannot configure Dirsync when it asks for the Windows Azure Active Directory Credentials as this fails wth a configuration error stating it cannot connect.

It's in a bit of a mess, and I'm wondering how this can be resolved and to get the point where internal users can login to Office 365 successfully as the issue with being unable to login to azure will be resolved if the SSO issue can be resolved.
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kirk_shaw
kirk_shaw

ASKER

This is what I've discovered by running the Get-MsolFederationProperty. The section under Source: Office 365 is pointing to the old server that I have described...

Source                          : ADFS Server
ActiveClientSignInUrl           : https://sts.domain.com/adfs/services/tru
                                  st/2005/usernamemixed
FederationServiceDisplayName    : ADFS FOR OFFICE365
FederationServiceIdentifier     : http://sts.domain.com/adfs/services/trus
                                  t
FederationMetadataUrl           : https://sts.domain.com/adfs/services/tru
                                  st/mex
PassiveClientSignInUrl          : https://sts.domain.com/adfs/ls/
PassiveClientSignOutUrl         : https://sts.domain.com/adfs/ls/
TokenSigningCertificate         : [Subject]
                                    CN=ADFS Signing - sts.domain.com

                                  [Issuer]
                                    CN=ADFS Signing - sts.domain.com

                                  [Serial Number]
                                    *******************************

                                  [Not Before]
                                    18/09/2015 19:55:23

                                  [Not After]
                                    17/09/2016 19:55:23

                                  [Thumbprint]
                                    **********************************

NextTokenSigningCertificate     :
PreferredAuthenticationProtocol :

Source                          : Microsoft Office 365
ActiveClientSignInUrl           : https://dc01.domain.com/adfs/services/tru
                                  st/2005/usernamemixed
FederationServiceDisplayName    : Airvending Ltd
FederationServiceIdentifier     : http://dc01.domain.com/adfs/services/trus
                                  t
FederationMetadataUrl           : https://dc01.domain.com/adfs/services/tru
                                  st/mex
PassiveClientSignInUrl          : https://dc01.domain.com/adfs/ls/
PassiveClientSignOutUrl         : https://dc01.domain.com/adfs/ls/
TokenSigningCertificate         : [Subject]
                                    CN=ADFS Signing - dc01.domain.com

                                  [Issuer]
                                    CN=ADFS Signing - dc01.domain.com

                                  [Serial Number]
                                    *************************************

                                  [Not Before]
                                    30/08/2015 10:31:09

                                  [Not After]
                                    29/08/2016 10:31:09

                                  [Thumbprint]
                                    *****************************************

NextTokenSigningCertificate     :
PreferredAuthenticationProtocol : WsFed
So login to the new AD FS server, open PowerShell, connect to WAAD and run the Update-MsolFederatedDomain cmdlet. Detailed instructions here: https://support.microsoft.com/en-us/kb/2647048
This assisted in helping me find the solution myself. It pointed me in the right direction to resolve it.