DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2598459 - Last Review: July 9, 2014 - Revision: 38.0

On This Page

INTRODUCTION

The Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit contains a data-collection package that helps you analyze Active Directory Federation Services (AD FS) 2.0 infrastructure, user account preparedness, and Microsoft Office 365 federation trusts. You can use this analysis to help troubleshoot Office 365 single sign-on (SSO) issues. This article contains info about how to interpret the diagnostic info for AD FS 2.0 Authentication and for SSO that's provided in the MOSDAL Support Toolkit.

PROCEDURE

The data flow of any Office 365 SSO communication is predictable. To determine which issues may have occurred during the SSO process, you can use a capture to compare the expected data flow pattern with the data flow that occurs during a failed SSO attempt. The AD FS 2.0 Authentication diagnostic feature of the MOSDAL Support Toolkit lets you capture and compare this kind of data. You can use this info to diagnose SSO and identity federation issues.

How to install the MOSDAL Support Toolkit

To download and install the MOSDAL Support Toolkit, go to the following Microsoft website:
http://www.microsoft.com/en-us/download/details.aspx?id=626 (http://www.microsoft.com/en-us/download/details.aspx?id=626)

How to collect AD FS 2.0 authentication diagnostic info

To use the MOSDAL Support Toolkit to collect AD FS 2.0 diagnostic info, follow these steps:
  1. Start the MOSDAL Support Toolkit. To do this, click the MOSDAL Support Toolkit desktop shortcut. Or, click Start, point to All Programs, click Mosdal Support Toolkit, and then click MOSDAL Support Toolkit.
  2. Run the MOSDAL Support Toolkit, select the Single sign-on with Active Directory Federation Services check box from the list of Office 365 services, and then click Next.

    Collapse this imageExpand this image
    Screen shot of the Welcome to MOSDAL page
  3. When you're prompted to enter your credentials, enter your user ID or sign-in address, and then click Next. Your password isn't saved and is only used to simulate an authentication attempt and log the results.

    Collapse this imageExpand this image
    Screen shot of the Enter Credentials page
  4. Reproduce the issue, and then click Next.

    Collapse this imageExpand this image
    Screen shot of the reproduce problem page
  5. When the diagnostics are completed, click Exit and Show Files.
  6. When the report is finished, locate the MOSDALREPORT.zip file in the Documents library. In the MOSDALReport.zip file, open the DataCollectionADFS folder, and then open the AdfsDiagnostics.txt file.

How to read the AD FS 2.0 Authentication Diagnostics report

The AD FS 2.0 Authentication Diagnostics report consists of the following four sections. We recommend that you read the report from the top down. That is, start reading the report at the first section and then continue to the next section. If the causes that are listed in one section don't offer enough info to diagnose the issue, investigate the relevant area of the next section to view more detailed info.
  • Table of Contents

    This section contains an at-a-glance analysis of the test results. It lists the following:
    • High-level tests that were run and their general results (Pass or Fail)
    • For each test that failed, the problems that could cause the failure
    • Whether the client accesses AD FS 2.0 from inside or from outside the corporate network
    • The attachment names that were collected
  • Console Output

    This section contains a more thorough breakdown of the tests that were run. If the data in the Table of Contents section doesn't provide enough detail, view the Console Output section for more granular info about the following:
    • A breakdown of the individual steps that were performed in each test that is listed in the Table of Contents section
    • Specific results of each test step (Pass or Fail)
    • For each step that failed, the problems that could cause the failure
  • Test Traces

    This section contains trace-level detail of the tests that were run. If the data in the Console Output doesn't provide enough detail, examine the Test Traces section for more-detailed info.
  • Attachments

    This section contains valuable environment state and settings data to help you analyze and determine possible causes of various failure states. Common data that is collected includes the following:
    • User-environment data that is collected from the client
    • Credentials that were used for the test
    • Organization namespace registration data that is collected from the Office 365 Metadata Exchange (MEX) document (pulled from the AD FS 2.0 service endpoint)
    • AD FS 2.0 HTTP responses
    • AD FS 2.0 Security Token responses (including Security Assertions Markup Language [SAML] claim info)
    • Microsoft Azure Active Directory (Azure AD) security token responses

How to follow up on cause suggestions

The following tables list the most common causes that are suggested in the output of the AD FS 2.0 Authentication Diagnostics report for tests and steps that failed.

Note These are only suggestions. You should investigate and verify the cause of the issue before you determine an action plan to resolve the issue.
Collapse this tableExpand this table
Test-002: Verify the Microsoft Office 365 authentication system organization namespace registration
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
The Office 365 authentication system logon URL couldn't be accessed.Azure AD authentication system is inaccessible.2707380  (http://support.microsoft.com/kb/2707380/ )
Microsoftonline.com couldn't be accessed.Azure AD authentication isn't resolved in DNS.2707331  (http://support.microsoft.com/kb/2707331/ )
There is no Username/Password authentication endpoint that is registered by using the Office 365 authentication system.Azure AD authentication system doesn't reflect AD FS 2.0 registration of the username or password endpoint.2707359  (http://support.microsoft.com/kb/2707359/ )
There is no valid Metadata Exchange (MEX) URL that is registered by using the Office 365 authentication system.Azure AD authentication system doesn't reflect AD FS 2.0 registration of the MEX endpoint.2707365  (http://support.microsoft.com/kb/2707365/ )
There is no web application logon URL that is registered by using the Office 365 authentication system.Azure AD authentication system doesn't reflect AD FS 2.0 registration of the /adfs/ls endpoint.2707358  (http://support.microsoft.com/kb/2707358/ )
Domain {value} isn't a federated domain.The named domain isn't registered as federated with the Azure AD authentication system.2707357  (http://support.microsoft.com/kb/2707357/ )
The user {value} wasn't recognized by the Office 365 authentication system.The name UserID isn't a valid identity in the Azure AD authentication system.2707367  (http://support.microsoft.com/kb/2707367/ )
The AD FS Token-Signing certificate isn't valid.The AD FS 2.0 registration with the Azure AD authentication system shows the AD FS 2.0 token-signing certificate as invalid.2707368  (http://support.microsoft.com/kb/2707368/ )
Organization namespace registration info couldn't be obtained from the Office 365 authentication system.The named domain isn't registered with the Azure AD authentication system.2707333  (http://support.microsoft.com/kb/2707333/ )

Collapse this tableExpand this table
Test-003: Verify that the Metadata Exchange (MEX) document can be retrieved from the Federation Server
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
There are no services in the AD FS MEX document.AD FS 2.0 MEX data isn't advertising any services.2707344  (http://support.microsoft.com/kb/2707344/ )
The AD FS MEX document didn't contain the SecurityTokenService section.AD FS 2.0 MEX data is corrupted.2707345  (http://support.microsoft.com/kb/2707345/ )
There is no security token service description in the AD FS MEX document.AD FS 2.0 MEX data is corrupted.2707346  (http://support.microsoft.com/kb/2707346/ )
The Windows Integrated Authentication endpoint is missing from the MEX document that is published by the federation server.AD FS 2.0 Integrated Windows Authentication endpoint is deactivated.2707356  (http://support.microsoft.com/kb/2707356/ )
No WS-Trust Windows endpoint is published in the MEX document.AD FS 2.0 WS-Trust endpoint is deactivated.2707339  (http://support.microsoft.com/kb/2707339/ )
The Username/Password authentication endpoint is missing from the MEX document that is published by the federation server proxy.AD FS 2.0 Username endpoint or AD FS 2.0 Password endpoint is deactivated.2707355  (http://support.microsoft.com/kb/2707355/ )
There are no endpoints in the AD FS MEX document.AD FS 2.0 MEX data isn't advertising any service endpoints.2707344  (http://support.microsoft.com/kb/2707344/ )
The WS-Trust endpoint for Windows Integrated Authentication in the AD FS MEX document doesn't match the endpoint that is registered by using the Office 365 authentication system.AD FS 2.0 IWA service endpoint was changed, but its registration with the Azure AD authentication system wasn't updated.2707379  (http://support.microsoft.com/kb/2707379/ )

Collapse this tableExpand this table
Test-004: Verify that Federation Metadata can be retrieved from the Federation Server
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
The federation metadata document couldn't be retrieved from AD FS.AD FS 2.0 federation metadata endpoint is unavailable or couldn't be contacted.2707335  (http://support.microsoft.com/kb/2707335/ )
The Metadata Exchange (MEX) document received from AD FS contains an unknown WS-Trust version.WS-Trust version is incorrect for Microsoft Online single sign-on (SSO).2707348  (http://support.microsoft.com/kb/2707348/ )

Collapse this tableExpand this table
Test-005: Verify web application logon to AD FS by using Windows Integrated Authentication (IWA for passive)
Test-006: Verify web application logon to AD FS by using Username/Password Authentication (FBA for passive)
Test-007: Verify rich client application logon by Using Username/Password Authentication (Basic for Rich)
Test-008: Verify rich client application logon by Using Windows Integrated Authentication (IWA for Rich)
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
There was an exception error during a logon attempt.A failure is encountered during AD FS 2.0 authentication.2707338  (http://support.microsoft.com/kb/2707338/ )
No token was received from AD FS.After authentication, AD FS 2.0 didn't issue an SAML token.2707340  (http://support.microsoft.com/kb/2707340/ )
The AD FS token received isn't t valid until {0}.A SAML token that appears post-dated when it's compared to the local computer clock is received from AD FS 2.0.2707376  (http://support.microsoft.com/kb/2707376/ )
The AD FS token has expired according to this computer's clock.The SAML token that appears expired when it's compared to the local computer clock is received from AD FS 2.0.2707377  (http://support.microsoft.com/kb/2707377/ )
The AD FS token validity period is too short.The AD FS 2.0 token validity period is set to less than five minutes.2707378  (http://support.microsoft.com/kb/2707378/ )
During an attempt to verify web application logon to AD FS, the tool unexpectedly received a Username/Password logon page from the federation server.An FBA authentication page was encountered when you connect to the AD FS 2.0 Federation service, and IWA experience was expected.2707342  (http://support.microsoft.com/kb/2707342/ )

Collapse this tableExpand this table
Test-009: Verify rich client application logon to Office 365 by using a token that is issued by AD FS
Test-010: Verify web application logon to Office 365 by using a token that is issued by AD FS
Log data: Common cause of failure sourcesCause / DescriptionArticle reference
No token was received from the Office 365 authentication system.The Azure AD authentication system couldn't process the AD FS 2.0 SAML token and couldn't issue a cloud-based identity response.2707341  (http://support.microsoft.com/kb/2707341/ )

What it means when MOSDAL indicates no errors but SSO problems persist

Certain aspects of Office 365 client computer preparedness are emulated by the diagnostic routine. Because they are emulated by the test, the output won't fail in areas where these aspects are the cause of SSO issues. Therefore, in areas where the AD FS 2.0 diagnostic succeeds completely and where the SSO issue remains, the problem is probably related to one of the following:
  • The AD FS 2.0 Federation Service name may not be added to the Local intranet security zone in Internet Explorer.
  • If a proxy server is deployed, the AD FS 2.0 Federation Service name may not be added to the proxy bypass list.
  • The Microsoft Online Services Sign-in Assistant may not be installed on the client device.
  • Certain third-party applications require Extended Protection for Authentication to be disabled on the AD FS 2.0 Federation Service.
For more info about how to troubleshoot these issues, see the following Microsoft Knowledge Base article:
2530713  (http://support.microsoft.com/kb/2530713/ )  Signing in to Office 365, Azure, or Windows Intune by using single sign-on doesn't work from some devices

Additionally, the problem may be related to an issue in which the client doesn't have all the required updates for correct rich client functionality. Make sure that all Office 365 client prerequisites are met. For more info, see the following Microsoft Knowledge Base article:
2637629   (http://support.microsoft.com/kb/2637629 / )  How to troubleshoot non-browser apps that can’t sign in to Office 365, Azure, or Windows Intune

MORE INFORMATION

Still need help? Go to the Office 365 Community (http://community.office365.com/) website.

Applies to
  • Office 365 Identity Management
Keywords: 
o365 mosdal4.5 o365a o365e kbgraphxlink o365m o365022013 kbgraphic KB2598459
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support