The data flow of any Office 365 SSO communication is predictable. To determine which issues may have occurred during the SSO process, you can use a capture to compare the expected data flow pattern with the data flow that occurs during a failed SSO attempt. The AD FS 2.0 Authentication diagnostic feature of the MOSDAL Support Toolkit lets you capture and compare this kind of data. You can use this info to diagnose SSO and identity federation issues.
How to install the MOSDAL Support Toolkit
To download and install the MOSDAL Support Toolkit, go to the following Microsoft website:
How to collect AD FS 2.0 authentication diagnostic info
To use the MOSDAL Support Toolkit to collect AD FS 2.0 diagnostic info, follow these steps:
- Start the MOSDAL Support Toolkit. To do this, click the MOSDAL Support Toolkit desktop shortcut. Or, click Start, point to All Programs, click Mosdal Support Toolkit, and then click MOSDAL Support Toolkit.
- Run the MOSDAL Support Toolkit, select the Single sign-on with Active Directory Federation Services check box from the list of Office 365 services, and then click Next.
- When you're prompted to enter your credentials, enter your user ID or sign-in address, and then click Next. Your password isn't saved and is only used to simulate an authentication attempt and log the results.
- Reproduce the issue, and then click Next.
- When the diagnostics are completed, click Exit and Show Files.
- When the report is finished, locate the MOSDALREPORT.zip file in the Documents library. In the MOSDALReport.zip file, open the DataCollectionADFS folder, and then open the AdfsDiagnostics.txt file.
How to read the AD FS 2.0 Authentication Diagnostics report
The AD FS 2.0 Authentication Diagnostics report consists of the following four sections. We recommend that you read the report from the top down. That is, start reading the report at the first section and then continue to the next section. If the causes that are listed in one section don't offer enough info to diagnose the issue, investigate the relevant area of the next section to view more detailed info.
- Table of Contents
This section contains an at-a-glance analysis of the test results. It lists the following:- High-level tests that were run and their general results (Pass or Fail)
- For each test that failed, the problems that could cause the failure
- Whether the client accesses AD FS 2.0 from inside or from outside the corporate network
- The attachment names that were collected
- Console Output
This section contains a more thorough breakdown of the tests that were run. If the data in the Table of Contents section doesn't provide enough detail, view the Console Output section for more granular info about the following: - A breakdown of the individual steps that were performed in each test that is listed in the Table of Contents section
- Specific results of each test step (Pass or Fail)
- For each step that failed, the problems that could cause the failure
- Test Traces
This section contains trace-level detail of the tests that were run. If the data in the Console Output doesn't provide enough detail, examine the Test Traces section for more-detailed info. - Attachments
This section contains valuable environment state and settings data to help you analyze and determine possible causes of various failure states. Common data that is collected includes the following:- User-environment data that is collected from the client
- Credentials that were used for the test
- Organization namespace registration data that is collected from the Office 365 Metadata Exchange (MEX) document (pulled from the AD FS 2.0 service endpoint)
- AD FS 2.0 HTTP responses
- AD FS 2.0 Security Token responses (including Security Assertions Markup Language [SAML] claim info)
- Windows Azure Active Directory (Windows Azure AD) security token responses
How to follow up on cause suggestions
The following tables list the most common causes that are suggested in the output of the AD FS 2.0 Authentication Diagnostics report for tests and steps that failed.
Note These are only suggestions. You should investigate and verify the cause of the issue before you determine an action plan to resolve the issue.
| Test-002: Verify the Microsoft Office 365 authentication system organization namespace registration | | |
|---|
| Log data: Common cause of failure sources | Cause / Description | Article reference |
|---|
| The Office 365 authentication system logon URL couldn't be accessed. | Windows Azure AD authentication system is inaccessible. | 2707380 |
| Microsoftonline.com couldn't be accessed. | Windows Azure AD authentication isn't resolved in DNS. | 2707331 |
| There is no Username/Password authentication endpoint that is registered by using the Office 365 authentication system. | Windows Azure AD authentication system doesn't reflect AD FS 2.0 registration of the username or password endpoint. | 2707359 |
| There is no valid Metadata Exchange (MEX) URL that is registered by using the Office 365 authentication system. | Windows Azure AD authentication system doesn't reflect AD FS 2.0 registration of the MEX endpoint. | 2707365 |
| There is no web application logon URL that is registered by using the Office 365 authentication system. | Windows Azure AD authentication system doesn't reflect AD FS 2.0 registration of the /adfs/ls endpoint. | 2707358 |
| Domain {value} isn't a federated domain. | The named domain isn't registered as federated with the Windows Azure AD authentication system. | 2707357 |
| The user {value} wasn't recognized by the Office 365 authentication system. | The name UserID isn't a valid identity in the Windows Azure AD authentication system. | 2707367 |
| The AD FS Token-Signing certificate isn't valid. | The AD FS 2.0 registration with the Windows Azure AD authentication system shows the AD FS 2.0 token-signing certificate as invalid. | 2707368 |
| Organization namespace registration info couldn't be obtained from the Office 365 authentication system. | The named domain isn't registered with the Windows Azure AD authentication system. | 2707333 |
| Test-003: Verify that the Metadata Exchange (MEX) document can be retrieved from the Federation Server | | |
|---|
| Log data: Common cause of failure sources | Cause / Description | Article reference |
|---|
| There are no services in the AD FS MEX document. | AD FS 2.0 MEX data isn't advertising any services. | 2707344 |
| The AD FS MEX document didn't contain the SecurityTokenService section. | AD FS 2.0 MEX data is corrupted. | 2707345 |
| There is no security token service description in the AD FS MEX document. | AD
FS 2.0 MEX data is corrupted. | 2707346 |
| The Windows Integrated Authentication endpoint is missing from the MEX document that is published by the federation server. | AD FS 2.0 Integrated Windows Authentication endpoint is deactivated. | 2707356 |
| No WS-Trust Windows endpoint is published in the MEX document. | AD FS 2.0 WS-Trust endpoint is deactivated. | 2707339 |
| The Username/Password authentication endpoint is missing from the MEX document that is published by the federation server proxy. | AD FS 2.0 Username endpoint or AD FS 2.0 Password endpoint is deactivated. | 2707355 |
| There are no endpoints in the AD FS MEX document. | AD FS 2.0 MEX data isn't advertising any service endpoints. | 2707344 |
| The WS-Trust endpoint for Windows Integrated Authentication in the AD FS MEX document doesn't match the endpoint that is registered by using the Office 365 authentication system. | AD FS 2.0 IWA service endpoint was changed, but its registration with the Windows Azure AD authentication system wasn't updated. | 2707379 |
| Test-004: Verify that Federation Metadata can be retrieved from the Federation Server | | |
|---|
| Log data: Common cause of failure sources | Cause / Description | Article reference |
|---|
| The federation metadata document couldn't be retrieved from AD FS. | AD FS 2.0 federation metadata endpoint is unavailable or couldn't be contacted. | 2707335 |
| The Metadata Exchange (MEX) document received from AD FS contains an unknown WS-Trust version. | WS-Trust version is incorrect for Microsoft Online single sign-on (SSO). | 2707348 |
| Test-005: Verify web application logon to AD FS by using Windows Integrated Authentication (IWA for passive) | | |
|---|
| Test-006: Verify web application logon to AD FS by using Username/Password Authentication (FBA for passive) | | |
|---|
| Test-007: Verify rich client application logon by Using Username/Password Authentication (Basic for Rich) | | |
|---|
| Test-008: Verify rich client application logon by Using Windows Integrated Authentication (IWA for Rich) | | |
|---|
| Log data: Common cause of failure sources | Cause / Description | Article reference |
|---|
| There was an exception error during a logon attempt. | A failure is encountered during AD FS 2.0 authentication. | 2707338 |
| No token was received from AD FS. | After authentication, AD FS 2.0 didn't issue an SAML token. | 2707340 |
| The AD FS token received isn't t valid until {0}. | A SAML token that appears post-dated when it's compared to the local computer clock is received from AD FS 2.0. | 2707376 |
| The AD FS token has expired according to this computer's clock. | The SAML token that appears expired when it's compared to the local computer clock is received from AD FS 2.0. | 2707377 |
| The AD FS token validity period is too short. | The AD FS 2.0 token validity period is set to less than five minutes. | 2707378 |
| During an attempt to verify web application logon to AD FS, the tool unexpectedly received a Username/Password logon page from the federation server. | An FBA authentication page was encountered when you connect to the AD FS 2.0 Federation service, and IWA experience was expected. | 2707342 |
| Test-009: Verify rich client application logon to Office 365 by using a token that is issued by AD FS | | |
|---|
| Test-010: Verify web application logon to Office 365 by using a token that is issued by AD FS | | |
|---|
| Log data: Common cause of failure sources | Cause / Description | Article reference |
|---|
| No token was received from the Office 365 authentication system. | The Windows Azure AD authentication system couldn't process the AD FS 2.0 SAML token and couldn't issue a cloud-based identity response. | 2707341 |
What it means when MOSDAL indicates no errors but SSO problems persist
Certain aspects of Office 365 client computer preparedness are emulated by the diagnostic routine. Because they are emulated by the test, the output won't fail in areas where these aspects are the cause of SSO issues. Therefore, in areas where the AD FS 2.0 diagnostic succeeds completely and where the SSO issue remains, the problem is probably related to one of the following:
- The AD FS 2.0 Federation Service name may not be added to the Local intranet security zone in Internet Explorer.
- If a proxy server is deployed, the AD FS 2.0 Federation Service name may not be added to the proxy bypass list.
- The Microsoft Online Services Sign-in Assistant may not be installed on the client device.
- Certain third-party applications require Extended Protection for Authentication to be disabled on the AD FS 2.0 Federation Service.
For more info about how to troubleshoot these issues, see the following Microsoft Knowledge Base article:
2530713�Single sign-on authentication to Office 365 doesn't work from a specific device, but works from other devices�
Additionally, the problem may be related to an issue in which the client doesn't have all the required updates for correct rich client functionality. Make sure that all Office 365 client prerequisites are met. For more info, see the following Microsoft Knowledge Base article:
2637629
How to troubleshoot computer issues that limit Office 365 rich client authentication