Using The Remote Connectivity Analyzer When you cannot use your Microsoft Office 365 federated credentials to authenticate Microsoft Outlook to Exchange Online

After being on the road for a couple of weeks when I got home my Outlook wouldn’t authenticate via ADFS2 but I could login via the Portal and Lync worked without any issues. I traced the issue to a certificate error using MOSDAL. However, it was only a certificate issue due to my router blocking port 443. So I have taken this opportunity to provide a few resources from MOSDAL and the Office 365 Support Team. If your having issues with authentication or general configuration issues .

If you review URL (http://support.microsoft.com/kb/2466333) it provides a few test test and possible solution. You cannot use your Microsoft Office 365 federated credentials to authenticate Microsoft Outlook or Microsoft Exchange ActiveSync by using a smartphone to Exchange Online services. However, since port 443 was blocked my phone didn’t sync either.

Use Microsoft Exchange Remote Connectivity Analyzer to test whether the on-premises AD FS 2.0 service is causing Outlook logon problems for single sign-on (SSO)-enabled users. To do this, follow these steps:

  1. In Internet Explorer, browse to https://testexchangeconnectivity.com.
  2. On the Office 365 tab, under Microsoft Office Outlook Connectivity Tests, click Outlook Anywhere (RPC over HTTP), and then click Next.
  3. Type the email address and credentials, click to select the acknowledgement check box near the bottom of the page, type the verification code, and then click Perform Test. This test should be run two times. Run the test by using the following credentials:
    • An SSO-enabled user account that has a mailbox in Exchange Online
    • A standard user account that has a mailbox in Exchange Online

    Verify the results of both tests to determine whether AD FS 2.0 is causing the Outlook sign-in issue.

    1. a. Drill down to the following node of the Test Details tree:
      1. Testing RPC/HTTP connectivity
        1. – ExRCA is attempting to test Autodiscover for john@contoso.com
          1. – Attempting each method of contacting the Autodiscover service
            1. – Attempting to contact the Autodiscover service using the HTTP redirect method
              1. – Attempting to send an Autodiscover POST request to potential Autodiscover URLs
                1. – ExRCA is attempting to retrieve an XML Autodiscover response from URL htts://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user
    2. b. Check whether the following conditions are true:
    3. The SSO-enabled user account cannot access Autodiscover and receives an "HTTP 401 authorized response" error message. The standard user account can access Autodiscover. If both conditions are true, you have confirmed that SSO failures are causing Outlook authentication to fail.

You have a couple of choices when running the tool and its invaluable in resolving a number of issues. I chose to run the Office 3665 SSO Test..

Microsoft Remote Connectivity Analyzer – https://testexchangeconnectivity.com.

clip_image001[4]

Microsoft Remote Connectivity Analyzer Office 365

clip_image002[4]

Microsoft Remote Connectivity Analyzer Office 365 SSO Sign-In

clip_image003[4]

Microsoft Remote Connectivity Analyzer In Progress

clip_image004[4]

 

 

Microsoft Remote Connectivity Analyzer Passed with a warning

clip_image005[4]

Microsoft Remote Connectivity Analyzer MSOL Resolved

clip_image006[4]

 

In addition, I have included a few references on ADFS2, DirSync and Office 365 in general below

Active Directory Federation Services 2.0 Related Resources

View KB

How to use custom URLs to enable a transparent single sign-on experience for identity federation in an Office 365 environment

View KB

You cannot assign a federated domain to a user in the Microsoft Online Portal

View KB

"Your organization could not sign you in to this service" error message occurs when a user tries to sign in to Microsoft Online Portal as a federated user

View KB

You cannot connect to Microsoft Online Services by using the Identity Federation Management tool

View KB

A federated user is prompted for credentials or cannot sign in to Microsoft Online Services

View KB

A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource

View KB

A Federated user is repeatedly prompted for credentials, and then the user cannot connect to Microsoft Office 365

View KB

How to reestablish trust with the Microsoft Online Services ID service after the AD FS 2.0 server stops responding

View KB

Troubleshooting AD FS 2.0 federation services published directly to the Internet using a firewall device instead of an ADFS Proxy server

View KB

A sub-domain does not inherit the changes that are made to the top-level domain in Office 365

View KB

A token-signing certificate has expired or was renewed for Office 365 Identity Federation

View KB

You are prompted to enter your user name and password when you connect to Office 365 resources using a rich-client application

View KB

Firewall prevents users from using Office 365 services from rich clients

View KB

Internet Explorer cannot display the Office 365 portal webpage when a federated user tries to sign in

View KB

You are repeatedly prompted for credentials when you try to log in to the AD FS 2.0 service endpoint in Office 365

View KB

Active Directory Federation Services 2.0 hotfix information for Microsoft Lync and Office Professional Plus sign-in issues in the Office 365 environment

View KB

You cannot open the Microsoft Online Services Module for Windows PowerShell

View KB

Federated users cannot connect to an Exchange Online mailbox

View KB

How to change the ADFS 2.0 service communications certificate after it expires

View KB

Users cannot sign out of Office 365 web services

View KB

Office 365 Identity Federation service implications of AD FS 2.0 implementation scenarios

View KB

Domain name requirements to set up a federated domain for Office 365 identity or Exchange federation (rich coexistence)

View KB

You receive a certificate warning when you try to access Microsoft Office 365 resources by using an identity-federated account

View KB

How to troubleshoot identity federation user account issues in the Office 365 environment

View KB

How to troubleshoot Identity Federation client devices in Office 365

View KB

The "500" error code is returned when you send an HTTP SOAP request to the "/adfs/services/trust/mex" endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008

View KB

An identity-provider-initiated sign-on process is slow in Windows Server 2008 R2 and in Windows Server 2008

DirSync Tool Related Resources

View KB

Error message in the Microsoft Online Services Directory Synchronization tool in Microsoft Office 365: "Your version of the Microsoft Online Services Directory Synchronization Configuration Wizard is outdated"

View KB

Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard in Office 365: "The user name must be provided in valid UPN format"

View KB

Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard: "Your credentials could not be authenticated. Retype your credentials and try again"

View KB

"LogonUser() Failed with error code: 1789" after you enter enterprise administrator credentials in the Directory Synchronization Configuration Wizard in Office 365

View KB

Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard: "The Enterprise Administrator credentials that you supplied are not valid. Supply valid credentials and try again"

View KB

Error 012 when you run the Directory Synchronization tool in an Office 365 environment

View KB

Firewall prevents users from using Office 365 services from rich clients

View KB

"The computer must be joined to a domain" error message occurs when you try to install Microsoft Online Services Directory Synchronization Tool

View KB

Microsoft Online Services attributes for Exchange Rich-Coexistence are not written back to the on-premises Active Directory directory service when you use the Online Services Directory Synchronization tool

View KB

List of attributes that are synchronized to Office 365 and attributes that are written back to the on-premises Active Directory Domain Services

View KB

Process for using Microsoft Online Services Directory Synchronization Tool in Office 365

Related Knowledge Base Articles

View KB

Outlook 2007 takes longer than expected to show free/busy for meeting participants

View KB

Outlook 2007: Troubleshooting Outlook Crashes

View KB

How to troubleshoot performance issues in Outlook 2007

Related TechNet & Office Online Articles

View Article

Autodiscover and Outlook Anywhere Issues

View Article

Troubleshooting Free/Busy Information for Outlook 2007

View Article

Understanding the Performance Impact of High Item Counts and Restricted Views

View Article

Troubleshooting Microsoft Outlook Start Up Issues

View Article

Scan and repair corrupted Outlook data files

View Forum

Microsoft Online Services Dedicated Solution Forum

Other Resources for Outlook 2007

View Help

Outlook 2007 Solution Center

View Help

Help for Outlook 2007

View Courses

Online courses for Outlook 2007

View Thread

Outlook 2007 Prompts for Credentials Continually (user is connected to Exchange)

View Article

What is the Enable logging (troubleshooting) option?

Other Resources for Outlook 2003

View

Outlook 2003 Solution Center

View Help

Outlook 2003 Help and How-to – from Microsoft Office Online

View Courses

Outlook 2003 Courses

 

Happy Holliday’s,

-Ivan

No comments yet. Be the first.

Leave a Reply