Symptoms

When you try to sign in to the Microsoft Online Portal as a federated user, you may receive one of the following error messages:

  • "There was a problem accessing the site. Try to browse to the site again."
  • "Your organization could not sign you in to this service"

Resolution

Update or repair the federation trust between your Active Directory Federation Services (AD FS) 2.0 server and the Microsoft Federation Gateway.

Step 1: Verify firewall settings

If you have a firewall that supports the following features, make sure that these features are disabled.

Note: This step applies to Forefront Threat Management Gateway (TMG) server. However, it is important to note that other firewall servers may also support these features.

Step 2: Repair the Relying Party trust

To repair your Active Directory Federation Services connection to the Microsoft Federation Gateway, follow these steps.

  1. Click Start, click Control Panel, point to Administrative Tools, and then click AD FS 2.0 Management.
  2. Locate Trust Relationships, select Relying Party Trusts, and then click Delete to remove the Relying Party Trust entry.
  3. Start the Microsoft Online Services Identity Federation Management tool from the desktop on the computer on which it was installed.
  4. At the Windows PowerShell prompt, type the following, and then press ENTER:  
  • $cred=Get-Credential
  1. When you are prompted, enter your online administrator account.
  2. At the Windows PowerShell prompt, type the following, and then press ENTER: 
  • Set-MSOLContextCredential -MSOLAdminCredentials $cred
  1. Run the Add-MSOLFederatedDomain cmdlet to re-create the federation trust.
    Note If your domain is already configured as an online federated domain, you receive an error. However, this Windows PowerShell cmdlet recreates the required AD FS entries, such as the following:
  • Relying Party Trusts = Microsoft Federation Gateway.
  • Issuance Transform Rules = 2 rules created.
  1. Run the Update-MSOLFederatedDomain cmdlet if you lost the token signing certificate. For example, you may have uninstalled or reinstalled your internal certification authority. Or, you may have replaced a previous AD FS certificate by using a new certificate, such as a public certificate, from a third-party vendor.

Step 3: Verify the endpoint for federation metadata

If the earlier steps do not resolve the issue, follow these steps:

  1. Start Registry Editor, and locate the following registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\MOCHA\IdentityFederation
  2. Make sure that the FederationMetadataUrl string has the following value:
  • https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml
  1. Exit Registry Editor.

Step 4: Repair possible corrupted information in Microsoft Federation Gateway

If the earlier steps do not resolve the issue, follow these steps:

  1. Start the Microsoft Online Services Identity Federation Management tool from the desktop on the computer on which it is installed.
  2. At the Windows PowerShell prompt, type the following line, and then press ENTER:  

$cred=Get-Credential

  1. When you are prompted, enter your online administrator account.
  2. At the Windows PowerShell prompt, type the following line, and then press ENTER: 

Set-MSOLContextCredential -MSOLAdminCredentials $cred

  1. At the Windows PowerShell prompt, type the following line, and then press ENTER:

Convert-MSOLDomainToStandard -DomainName [yourdomain] -skipUserConversion $true -PasswordFile “c:/msol/password.txt”

Note For [yourdomain], enter your domain (For example, enter contoso.com).

  1. At the Windows PowerShell prompt, type the following line, and then press ENTER:

Convert-MSOLDomainToFederated -DomainName [yourdomain]

Note For [yourdomain], enter your domain (For example, enter contoso.com).

 

APPLY TO

  • Microsoft Office 365 for enterprises
  • Microsoft Office 365 for small businesses