Sunday, November 13, 2011

Unable to authenticate users in Office 365 using ADFS services

Last week we migrated one of our clients to Office 365 including the configuration of ADFS services in order to authenticate the users using local Active Directory credentials. Everything worked as expected for a couple of days until one morning when nobody could authenticate to the service.
We investigated the ADFS server and we found out that the AD FS 2.0 Windows Service was stopped.
We tried to start it without success. At a deeper inspection we discovered that the account that should be used for running this account was deleted from AD.
We created a new account, assigned all the appropriate rights and we managed to start the service. At this point, the external users that were authenticated using the ADFS Proxy server were able to login to the Office 365 services but the internal users were unable to do so.
In the AD FS 2.0/Admin event viewer log there were a lot of events like:

Log Name: AD FS 2.0/AdminSource: AD FS 2.0
Date:          11/8/2011 10:15:12 AM
Event ID: 323Task Category: None
Level: ErrorKeywords: AD FS
User: DOMAIN\ServiceAccount
Computer:     COMPUTER.domain.com
Description:
The Federation Service could not authorize token issuance for the caller 'DOMAIN\ServiceAccount' on behalf of the subject 'user@domain.com
' to the relying party 'urn:federation:MicrosoftOnline'
. Please see event 501 with the same instance id for caller identity. Please see event 502 with the same instance id for OnBehalfOf identity, if any.
Additional Data
Instance id: 2ae34f5b-dc27-3ed1-af21-976e28a4e3f5
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.OnBehalfOfAuthorizationException: MSIS5009: The impersonation authorization failed for caller identity and delegate for relying party trust https://claimapp1.treyresearch.net. at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
User Action
Use Windows PowerShell comments for AD FS 2.0 to ensure that the caller is authorized on behalf of the subject to the relying party.

Log Name: AD FS 2.0/AdminSource: AD FS 2.0
Date:          11/8/2011 10:11:02 AM
Event ID: 364Task Category: None
Level: ErrorKeywords: AD FS
User: DOMAIN\ServiceAccount
Computer: COMPUTER.domain.com
Description:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: MSIS3126: Access denied. at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolResponse(FederationPassiveContext federationPassiveContext)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
System.ServiceModel.FaultException: MSIS3126: Access denied. at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

There were also a lot of events 501 and 502.
We searched the internet for a solution and all we've found was http://social.technet.microsoft.com/wiki/contents/articles/2265.aspx which unfortunately did not work.
The only possible solution that came out was to disable the federation between Office 365 and internal AD infrastructure and re-enable it using a new service account for the AD FS service. To do that we had to follow the procedure:

1. Use PowerShell command Convert-MsolDomainToStandard to convert specified domain from single sign-on  to standard authentication.

If you didn't install the Office 365 cmdlets please follow the instructions from this blog post http://paulroman.pras.ro/2011/11/unable-to-sign-in-to-office-365-with-ad.html.

Run the following commands to disable single sign-on:

$cred = Get-Credential
Connect-MsolService -cred $cred         
convert-MsolDomainToStandard –DomainName domain.com –passwordfile password.txt –SkipUserConversion $false


This will generate temporary passwords for all the users and save them to the password.txt file.

2. Uninstall all ADFS and ADFS Proxy services from all the servers that were members in this process.

3. Following the Microsoft Procedure from http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125004.aspx reconfigure the ADFS integration with Office 365.

In no more than half an hour the ADFS service was functional again and all the users were able to access Office 365 from internal or external network.

No comments:

Post a Comment