Using The Remote Connectivity Analyzer When you cannot use your Microsoft Office 365 federated credentials to authenticate Microsoft Outlook to Exchange Online
After being on the road for a couple of weeks when I got home my Outlook wouldn’t authenticate via ADFS2 but I could login via the Portal and Lync worked without any issues. I traced the issue to a certificate error using MOSDAL. However, it was only a certificate issue due to my router blocking port 443. So I have taken this opportunity to provide a few resources from MOSDAL and the Office 365 Support Team. If your having issues with authentication or general configuration issues .
If you review URL (http://support.microsoft.com/kb/2466333) it provides a few test test and possible solution. You cannot use your Microsoft Office 365 federated credentials to authenticate Microsoft Outlook or Microsoft Exchange ActiveSync by using a smartphone to Exchange Online services. However, since port 443 was blocked my phone didn’t sync either.
Use Microsoft Exchange Remote Connectivity Analyzer to test whether the on-premises AD FS 2.0 service is causing Outlook logon problems for single sign-on (SSO)-enabled users. To do this, follow these steps:
- In Internet Explorer, browse to https://testexchangeconnectivity.com.
- On the Office 365 tab, under Microsoft Office Outlook Connectivity Tests, click Outlook Anywhere (RPC over HTTP), and then click Next.
- Type the email address and credentials, click to select the acknowledgement check box near the bottom of the page, type the verification code, and then click Perform Test. This test should be run two times. Run the test by using the following credentials:
- An SSO-enabled user account that has a mailbox in Exchange Online
- A standard user account that has a mailbox in Exchange Online
Verify the results of both tests to determine whether AD FS 2.0 is causing the Outlook sign-in issue.
- a. Drill down to the following node of the Test Details tree:
- Testing RPC/HTTP connectivity
- – ExRCA is attempting to test Autodiscover for john@contoso.com
- – Attempting each method of contacting the Autodiscover service
- – Attempting to contact the Autodiscover service using the HTTP redirect method
- – Attempting to send an Autodiscover POST request to potential Autodiscover URLs
- – ExRCA is attempting to retrieve an XML Autodiscover response from URL htts://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user
- – Attempting to send an Autodiscover POST request to potential Autodiscover URLs
- – Attempting to contact the Autodiscover service using the HTTP redirect method
- – Attempting each method of contacting the Autodiscover service
- – ExRCA is attempting to test Autodiscover for john@contoso.com
- Testing RPC/HTTP connectivity
- b. Check whether the following conditions are true:
-
The SSO-enabled user account cannot access Autodiscover and receives an "HTTP 401 authorized response" error message. The standard user account can access Autodiscover. If both conditions are true, you have confirmed that SSO failures are causing Outlook authentication to fail.
You have a couple of choices when running the tool and its invaluable in resolving a number of issues. I chose to run the Office 3665 SSO Test..
Microsoft Remote Connectivity Analyzer – https://testexchangeconnectivity.com.
Microsoft Remote Connectivity Analyzer Office 365
Microsoft Remote Connectivity Analyzer Office 365 SSO Sign-In
Microsoft Remote Connectivity Analyzer In Progress
Microsoft Remote Connectivity Analyzer Passed with a warning
Microsoft Remote Connectivity Analyzer MSOL Resolved
In addition, I have included a few references on ADFS2, DirSync and Office 365 in general below
Active Directory Federation Services 2.0 Related Resources |
|
How to use custom URLs to enable a transparent single sign-on experience for identity federation in an Office 365 environment |
|
You cannot assign a federated domain to a user in the Microsoft Online Portal |
|
"Your organization could not sign you in to this service" error message occurs when a user tries to sign in to Microsoft Online Portal as a federated user |
|
You cannot connect to Microsoft Online Services by using the Identity Federation Management tool |
|
A federated user is prompted for credentials or cannot sign in to Microsoft Online Services |
|
A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource |
|
A Federated user is repeatedly prompted for credentials, and then the user cannot connect to Microsoft Office 365 |
|
How to reestablish trust with the Microsoft Online Services ID service after the AD FS 2.0 server stops responding |
|
Troubleshooting AD FS 2.0 federation services published directly to the Internet using a firewall device instead of an ADFS Proxy server |
|
A sub-domain does not inherit the changes that are made to the top-level domain in Office 365 |
|
A token-signing certificate has expired or was renewed for Office 365 Identity Federation |
|
You are prompted to enter your user name and password when you connect to Office 365 resources using a rich-client application |
|
Firewall prevents users from using Office 365 services from rich clients |
|
Internet Explorer cannot display the Office 365 portal webpage when a federated user tries to sign in |
|
You are repeatedly prompted for credentials when you try to log in to the AD FS 2.0 service endpoint in Office 365 |
|
Active Directory Federation Services 2.0 hotfix information for Microsoft Lync and Office Professional Plus sign-in issues in the Office 365 environment |
|
You cannot open the Microsoft Online Services Module for Windows PowerShell |
|
Federated users cannot connect to an Exchange Online mailbox |
|
How to change the ADFS 2.0 service communications certificate after it expires |
|
Users cannot sign out of Office 365 web services |
|
Office 365 Identity Federation service implications of AD FS 2.0 implementation scenarios |
|
Domain name requirements to set up a federated domain for Office 365 identity or Exchange federation (rich coexistence) |
|
You receive a certificate warning when you try to access Microsoft Office 365 resources by using an identity-federated account |
|
How to troubleshoot identity federation user account issues in the Office 365 environment |
|
How to troubleshoot Identity Federation client devices in Office 365 |
|
The "500" error code is returned when you send an HTTP SOAP request to the "/adfs/services/trust/mex" endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008 |
|
An identity-provider-initiated sign-on process is slow in Windows Server 2008 R2 and in Windows Server 2008 |
DirSync Tool Related Resources |
|
Error message in the Microsoft Online Services Directory Synchronization tool in Microsoft Office 365: "Your version of the Microsoft Online Services Directory Synchronization Configuration Wizard is outdated" |
|
Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard in Office 365: "The user name must be provided in valid UPN format" |
|
Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard: "Your credentials could not be authenticated. Retype your credentials and try again" |
|
"LogonUser() Failed with error code: 1789" after you enter enterprise administrator credentials in the Directory Synchronization Configuration Wizard in Office 365 |
|
Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard: "The Enterprise Administrator credentials that you supplied are not valid. Supply valid credentials and try again" |
|
Error 012 when you run the Directory Synchronization tool in an Office 365 environment |
|
Firewall prevents users from using Office 365 services from rich clients |
|
"The computer must be joined to a domain" error message occurs when you try to install Microsoft Online Services Directory Synchronization Tool |
|
Microsoft Online Services attributes for Exchange Rich-Coexistence are not written back to the on-premises Active Directory directory service when you use the Online Services Directory Synchronization tool |
|
List of attributes that are synchronized to Office 365 and attributes that are written back to the on-premises Active Directory Domain Services |
|
Process for using Microsoft Online Services Directory Synchronization Tool in Office 365 |
Related Knowledge Base Articles |
|
Outlook 2007 takes longer than expected to show free/busy for meeting participants |
|
Outlook 2007: Troubleshooting Outlook Crashes |
|
How to troubleshoot performance issues in Outlook 2007 |
|
Related TechNet & Office Online Articles |
|
Autodiscover and Outlook Anywhere Issues |
|
Troubleshooting Free/Busy Information for Outlook 2007 |
|
Understanding the Performance Impact of High Item Counts and Restricted Views |
|
Troubleshooting Microsoft Outlook Start Up Issues |
|
Scan and repair corrupted Outlook data files |
|
Microsoft Online Services Dedicated Solution Forum |
|
Other Resources for Outlook 2007 |
|
Outlook 2007 Solution Center |
|
Help for Outlook 2007 |
|
Online courses for Outlook 2007 |
|
Outlook 2007 Prompts for Credentials Continually (user is connected to Exchange) |
|
What is the Enable logging (troubleshooting) option? |
|
Other Resources for Outlook 2003 |
|
Outlook 2003 Solution Center |
|
Outlook 2003 Help and How-to – from Microsoft Office Online |
|
Outlook 2003 Courses |
Happy Holliday’s,
-Ivan