Thursday, September 20, 2012

Office 365 Single Sign On Errors

Figure 1
We are currently in the midst of setting up a Hybrid Implementation involving Exchange 2010 and Office 365 for Education where we will eventually migrate our student mail from On-Premise Exchange to Office 365.

To enable SSO you need the following items.

  • Properly configured ADFS or Active Directory Federated Services Environment
  • Office 365 domain with verified Public Domain i.e. domain.edu
  • Follow instructions from a blog like this to enable SSO
If you have completed these steps, you should be able verify the ADFS setup by visiting the URL https://adfs.domain.com/adfs/ls/IdpInitiatedSignon.aspx from a variety of places both internal and external clients.

To test Single Sign-On for Office 365 go to https://portal.microsoftonline.com. You should try to login with username@domain.com and it will change your to a page similar to Figure 1. When you click on the Sign in at domain.com link, it should redirect to your ADFS environment and either login you in automatically or prompt for credentials based on configuration, current user credentials, and browser.

Your organization could not sign you in to this service
If you enter your credentials and receive the following error, "Your organization could not sign you into this service" as shown in the image, the solution is most likely related to the UPN that is currently configured in Active Directory.  The UPN for the user that is attempting to login needs to match that user's UPN in AD. This is typically an issue when you are using a private internal domain name such as domain.local

Solution

First you need to add the UPN if it doesn't currently exists in AD. 
  1. Open Active Directory Domains and Trusts
  2. Right click on the top item  Active Directory Domains and Trusts and choose Properties.
  3. Add your alternate UPN public UPN suffix. i.e. domain.com
Second go to Active Directory Users and Computers 
  1. Open the properties of the user you are testing.
  2. Go to the Account tab.
  3. Under User logon name: change the drop down item to the new @domain.com name.
You should now be able to login to Office 365 using your local credentials.
WARNING: This may affect other things if you have people using the private UPN to login elsewhere, so be careful.

No comments:

Post a Comment