Saturday, November 12, 2011

Unable to sign in to Office 365 with AD federated user

Last week, one of our customer's employee had trouble signing in to his Office 365 services using his federated account. All other accounts were working fine except this one. After investigating the issue we found out that the account UPN was changed because the user changed her name after she got married.
We created an incident in the Office 365 admin console and they suggested us a solution that did not work. After a couple of hours spent searching online for solutions we've created the following procedure.

This procedure should be used anytime you want to change the UPN for a federated user.

Connect to Office 365 using Powershell

Install the Office 365 cmdlets

To begin using the Office 365 cmdlets, you first need to install them. The requirements for installing the Office 365 cmdlets are as follows:
• You can install the cmdlets on a Windows 7 or Windows Server 2008 R2 computer.
• You must have Windows PowerShell and the .NET Framework 3.5.1 installed.
• You must have the Microsoft Online Services Sign-in Assistant installed. For more information, see Manually update and configure desktops for Office 365.

To install the cmdlets, perform the following steps.
1. Download one of the following:
Microsoft Online Services Module for Windows PowerShell (32-bit version)
Microsoft Online Services Module for Windows PowerShell (64-bit version)
2. To install the cmdlets, double-click the AdministrationConfig.msi file.
The installer will add a shortcut to your desktop and Start menu. Click the Microsoft Online Services Module shortcut to open a Windows PowerShell workspace with the cmdlets.
Alternatively, you can also load the Office 365 cmdlets manually by typing import-module MSOnline at the Windows PowerShell prompt.

Change the UPN suffix and disable single sign on for that user

Run from powershell the following command to disable temporary the single sign on and to change the UPN for that user:
set-msoluserprincipalname – UserPrincipalName username@domain.com -new UserPrincipalName username@domain.onmicorsoft.com

The command will allocate the UPN username@domain.onmicrosoft.com to the user and it will generate a temporary password. The password can be used to login to Office 365

Change the UPN for the user

Use Active Directory Users and Computers MMC to change the UPN for the user and force the synchronization between AD Office 365 by running DirSyncConfigShell.psc1 from C:\Program Files\Microsoft Online Directory Sync on the server that has the DirSync tool installed.

Run the following command:

Start-OnlineCoexistenceSync

This will change automatically the UPN for the user to the one that is defined in AD and we re-enable the single sign on process for that user.

Delete ADFS cache from the ADFS servers (not ADFS proxy)

To work around this issue, disable the local SID cache on the domain member computer. To do this, follow these steps:
1. Open Registry Editor.
2. Locate and then right-click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Point to New, and then click DWORD Value.
4. Type LsaLookupCacheMaxSize, and then press ENTER.
5. Right-click LsaLookupCacheMaxSize, and then click Modify.
6. In the Value data box, type 0, and then click OK.
7. Exit Registry Editor.
Note The LsaLookupCacheMaxSize registry entry sets the maximum number of cached mappings that can be saved in the local SID cache. The default maximum number is 128. When the LsaLookupCacheMaxSize registry entry is set to 0, the local SID cache is disabled.

Verify that the user can successfully login in into Office 365 using his federated account and delete the previous registry key.
  

No comments:

Post a Comment