We have an Office 365 Single Sign on environment where users were having issues starting outlook. The application would hang on loading profile. Users could not launch outlook, nor create a new profile. Users COULD log in to OWA (Office 365) and authenticate against the ADFS.
No changes were made to the network on the on-prem nor the Office 365 environment.
We tried the Microsoft Support and Recovery Assistant for Office 365 but this tool is not supported for Single Sign on environments.
We ran the following tests on https://testconnectivity.microsoft.com:
Single Sign on – Passed
DNS Tests – Passed
Outlook Connectivity Tests – Failed due to Autodiscover failure
Autodiscover – Failed with the following code:
A Web exception occurred because an HTTP 503 – ServiceUnavailable response was received from Unknown. HTTP Response Headers: Retry-After: 30 request-id: 8adf642c-4dac-4a66-972f-5963d53f2381 X-CalculatedBETarget: vi1pr0701mb3005.eurprd07.prod.outlook.com X-AutoDiscovery-Error: LiveIdBasicAuth:FederatedStsUnreachable:<X-forwarded-for:40.85.91.8><ADFS-Business-682ms>failed logon error – STSFailure – ‘<s:Fault xmlns_s=”http://www.w3.org/2003/05/soap-envelope”><s:Code><s:Value>s:Sender</s:Value><s:Subcode><s:Value xmlns_a=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”>a:InvalidSecurity</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml_lang=”en-GB”>An error occurred when verifying security for the message.</s:Text></s:Reason></s:Fault>'<FEDERATED><UserType:Federated>Logon failed “[email protected]”.; |
We confirmed connectivity to ADFS with:
https://sts.our-domain.com/adfs/services/trust/2005/usernamemixed
We were a little stuck at this point so we contacted Microsoft for assistance.
After several hours the problem was part resolved by enabling the Modern Authentication Process.
Reference:
https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/
https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/
We still have the Autodiscover errors, but this got the users working.
The fix was to connect to Microsoft Exchange Online via PowerShell and run the follwoing:
Set-OrganizationConfig -OAuth2ClientProfileEnabled:$True
Update!!:
Issue has now been fully resolved. After much messing around and hours of Microsoft Sernior technicians, I spotted that the TIME on the ADFS server and the time on the ADFS Proxy server were out by 7 minutes. Each machine was on a different physical host.
I configured a tursted time source on each physical host, re-tested the testconnectivity.microsoft.com and the problem was resoved!
The difference in time (+5 minutes) was the cause.