We wanted to write this post as we have seen time and time again organizations that have deployed ADFS to work with Office 365, and when the ADFS infrastructure is no longer functioning, our clients are dead in the water and are at the mercy of someone with knowledge in AD FS to bring their business back to functioning.
However, many components to ADFS are actually quite simple, so the purpose of this post is to go through some of the things that may fail or break with ADFS and the steps you can use to correct the issue. The following points will be broken down into the experiences you will encounter with ADFS.
A. Internal ADFS server with ADFS proxy publishing ADFS to the internet: There was a problem accessing the site. Internal Authentication works, external does not.
This issue describes that the proxy server cannot establish a secure communication with our back end ADFS server. If you can authenticate internally directly against the ADFS server, but outside users cannot authenticate against the proxy, check the following on the proxy server:
- The system clock on the proxy server is not off by more than 5 minutes in relation to the ADFS server.
- The service account used by the proxy to obtain configuration data from ADFS is not expired/deleted/had their password reset.
- The proxy server can correctly resolve your ADFS service name and the corresponding IP address returned is correct.
B. Internal AD FS server with AD FS proxy publishing ADFS to the internet: There was a problem accessing the site. Both internal and external users cannot authenticate. If working previously, this may be related to the Certificates on the machines:
- Ensure the token signing certificate is notexpired. Open ADFS management, go to certificates on the left, and examine thetoken signing certificate. See Update trust properties
- Ensure your SSL certificate is also not expired.
- IF these look correct, test authentication onthe ADFS server. If that succeeds, try an internal workstation, if thatsucceeds, move to an external workstation, so that you test authentication fromthe inside out.
- Depending on where you cannot authentication(Internal/external) you will need to check Event viewer on either the ADFSserver or the ADFS proxy (Or just the ADFS server if you do not have a proxy).Once you have an event ID, can correlate it here:
C. Single ADFS server, cannot authenticate. ADFSserver is unreachable.
- Ensure that port 443 inbound is correctly NATdto the ADFS server for the ADFS service name (sts.contoso.com)
- You can test this by doing a certificate test at
- If you installed your SSL, but not getting aresult back from the above link, make sure the SSL cert is binded to port 443and that port 443 inbound is reaching that ADFS server.
- If you can access the O365 Portal internally onthe corp network, but cannot login via ADFS externally, or ifOutlook/ActiveSync authentication is not working, the issue resides withexternal routing to the ADFS server.
This was a quick overview of some simple things that you can check yourself without any ADFS experience. Obviously, there may be issues with ADFS not covered in this quick guide, and you may need to reach out to someone with ADFS experience. However, you can find some more information on troubleshooting ADFS at the following links:
- Changed type Ethan Hua CHNMicrosoft contingent staff, Moderator 7 hours 50 minutes ago Knowledge Sharing Post.
Other recent topics
