Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to reestablish trust with the Office 365 authentication platform after the AD FS 2.0 server stops responding


View products that this article applies to.

Symptoms

When a federated user tries to use Active Directory Federation Services (AD FS) 2.0 to authenticate access to a Microsoft Office 365 resource, the user may receive the following error message:
There was a problem accessing the site. Try to browse to the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

Reference number: <GUID>

For Internet users, the error occurs after they are prompted for valid credentials.

When this error occurs, the web browser�s address bar points to the on-premises AD FS endpoint at the following address:�
https://sts.domain.com/adfs/ls/?cbcxt=&vv=&username=username%40domain.com&mkt=&lc=1033&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%26ct%3D1299115248%26rver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.microsoftonline.com%252FDefault.aspx%26lc%3D1033%26id%3D271346%26bk%3D1299115248

↑ Back to the top


Cause

This issue may occur if the Trusting Party entry is missing or corrupted in the AD FS 2.0 Management console.

↑ Back to the top


Resolution

Important�This section contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:�
322756 How to back up and restore the registry in Windows


To verify that the Trusting Party entry is missing or corrupted in the AD FS 2.0 Management console, follow these steps:
  1. Sign in to the core AD FS server.
  2. Click Start, point to All Programs, click Administrative Tools, and then click AD FS 2.0 Management.
  3. In the management console, expand AD FS 2.0, expand Trust Relationships, and then expand Relying Party Trusts.
  4. Verify that the Microsoft Office365 Identity Platform entry is present and that it matches the following taxonomy:
    1. On the Monitoring tab, verify the following settings:
    2. On the Identifiers tab, verify the following settings:
      • Display Name: Microsoft Office 365 Identity Platform
      • Relying party identifiers:
        � https://login.microsoftonline-int.com/extSTS.srf
        urn:federation:MicrosoftOnlineINT
    3. On the Endpoints�tab, verify the following settings for the�WS-Federation Passive Endpoints:
      • URL: https://login.microsoftonline-int.com/login.srf
      • Index: 0
      • Binding: POST
      • Default: Yes
      • ResponseURL: <blank>
    4. On the Advanced tab, verify the following setting:
      Secure hash algorithm: SHA-1
Note All other tabs and fields are intentionally left blank.

If the entry is present, but the entry does not match the taxonomy that is listed, update the entry manually to resolve the issue. Or, delete the entry, and then continue with one of the following methods. If the entry is missing, continue with one of the following methods.
Method One: Re-add /update the Federated Domain Relying Party Trust
  1. Click Start, point to All Programs, click Microsoft Online Services, right-click Microsoft Online Services Module for Windows PowerShell, and then click Run As Administrator.
  2. At the command line, type the following commands, and press ENTER after each command:
    • connect-MSOLService
      Note
      �Log on by using Office 365-managed administrator account credentials in this command.
    • If you run these commands on a server that is not�in the AD FS 2.0 Federation Server farm, type�Set-MsolADFSContext -Computer:<AD FS Servername>
    • Update-MSOLFederatedDomain -DomainName<Identity_Federated_(AD FS)_Domain_Name>
Method Two: Remove hardcoded federation metadata endpoint
  1. Open�Registry Editor, and then locate the following registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\MOCHA\IdentityFederation
  2. If the string value FederationMetadataURL�exists, delete the string value. This will restore the normal functionality of�using the metadata endpoint from the Relying Party Trust entry in AD FS 2.0.

↑ Back to the top


References

For more information about how to troubleshoot the "There was a problem accessing the site." error message, click the following article number to view the article in the Microsoft Knowledge Base: �
2383983 Error message from AD FS 2.0 when a federated user signs in to Office 365: "There was a problem accessing the site.�

↑ Back to the top


Keywords: KB2521057, vkbportal230, vkbportal237, o365, bposs, vkbportal231

↑ Back to the top

Article Info
Article ID : 2521057
Revision : 17
Created on : 5/1/2012
Published on : 5/1/2012
Exists online : False
Views : 912