Office 365 SSO Problems - URL points to internal and old server

We have an issue with Office 365 and SSO.

Background:
I have just taken over the IT at a company and one of my first tasks was to sort out the issue of failed Office 365 SSO sign on as the company wishes to migrate to Exchange Online eventually. ADFS 2.0 and SSO with office365 was previously attempted on another server (domain controller - Server 2008 R2).  The synchronisation with Office 365 and AD worked as DirSync was installed and configured. However, when login was attempted to Office 365, it would detect the SSO and try to direct you to the internal domain controller and prompt for a password. No matter what password was attempted it was rejected.

After the failure, the previous person uninstalled everything on the domain controller to do with the Office 365 SSO (dirsync, adfs, Azure AD Connect, Azure AD Module for Powershell.

I have since installed adfs 3 on a WIndows Server with 2012 R2 on the network. Obtained the correct ssl certificate and installed it into adfs, converted successfully to federated and established the relying party trusts. However, when login is attempted on Office 365, it diverts to the server adfs 2.0 was previously installed on  with the internal fqdn of the server.

Also as a result of this failed attempt at SSO previously, the login used to access azure, keeps diverting to the internal fqdn of the previouslly installed server, so as a result, I cannot configure Dirsync when it asks for the Windows Azure Active Directory Credentials as this fails wth a configuration error stating it cannot connect.

It's in a bit of a mess, and I'm wondering how this can be resolved and to get the point where internal users can login to Office 365 successfully as the issue with being unable to login to azure will be resolved if the SSO issue can be resolved.
kirk_shawAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
So does this redirect happen for every attempt to 'talk to' the AD FS servers or only when using a specific RPT (such as the O365 one)? For example, what happens if you try to browse to the AD FS server externally (the  https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx page for example).

Start with checking the DNS records and related stuff (host file entries, LB redirects, WAP/proxy setttings, etc) that might be redirecting to the old servers. Run the Get-MsolFederationProperty cmdlet on the server to get the relevant information on how AD FS is currently set to make sure there is no mismatch in the settings. Running the SSO test from ExRCA (http://aka.ms/rca) should also give you some troubleshooting info to work with.

This blog post is the ultimate guide on troubleshooting AD FS related issues: http://blogs.technet.com/b/askpfeplat/archive/2015/06/15/adfs-deep-dive-troubleshooting.aspx
Another very useful tool is the AD FS diagnostics module: https://gallery.technet.microsoft.com/scriptcenter/AD-FS-Diagnostics-Module-8269de31

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kirk_shawAuthor Commented:
This is what I've discovered by running the Get-MsolFederationProperty. The section under Source: Office 365 is pointing to the old server that I have described...

Source                          : ADFS Server
ActiveClientSignInUrl           : https://sts.domain.com/adfs/services/tru
                                  st/2005/usernamemixed
FederationServiceDisplayName    : ADFS FOR OFFICE365
FederationServiceIdentifier     : http://sts.domain.com/adfs/services/trus
                                  t
FederationMetadataUrl           : https://sts.domain.com/adfs/services/tru
                                  st/mex
PassiveClientSignInUrl          : https://sts.domain.com/adfs/ls/
PassiveClientSignOutUrl         : https://sts.domain.com/adfs/ls/
TokenSigningCertificate         : [Subject]
                                    CN=ADFS Signing - sts.domain.com

                                  [Issuer]
                                    CN=ADFS Signing - sts.domain.com

                                  [Serial Number]
                                    *******************************

                                  [Not Before]
                                    18/09/2015 19:55:23

                                  [Not After]
                                    17/09/2016 19:55:23

                                  [Thumbprint]
                                    **********************************

NextTokenSigningCertificate     :
PreferredAuthenticationProtocol :

Source                          : Microsoft Office 365
ActiveClientSignInUrl           : https://dc01.domain.com/adfs/services/tru
                                  st/2005/usernamemixed
FederationServiceDisplayName    : Airvending Ltd
FederationServiceIdentifier     : http://dc01.domain.com/adfs/services/trus
                                  t
FederationMetadataUrl           : https://dc01.domain.com/adfs/services/tru
                                  st/mex
PassiveClientSignInUrl          : https://dc01.domain.com/adfs/ls/
PassiveClientSignOutUrl         : https://dc01.domain.com/adfs/ls/
TokenSigningCertificate         : [Subject]
                                    CN=ADFS Signing - dc01.domain.com

                                  [Issuer]
                                    CN=ADFS Signing - dc01.domain.com

                                  [Serial Number]
                                    *************************************

                                  [Not Before]
                                    30/08/2015 10:31:09

                                  [Not After]
                                    29/08/2016 10:31:09

                                  [Thumbprint]
                                    *****************************************

NextTokenSigningCertificate     :
PreferredAuthenticationProtocol : WsFed
Vasil Michev (MVP)Commented:
So login to the new AD FS server, open PowerShell, connect to WAAD and run the Update-MsolFederatedDomain cmdlet. Detailed instructions here: https://support.microsoft.com/en-us/kb/2647048
kirk_shawAuthor Commented:
This assisted in helping me find the solution myself. It pointed me in the right direction to resolve it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.