Sulich's Blog

Sulich's Blog

AD FS Troubleshooting

https://support.microsoft.com/en-ca/help/3015526/how-to-troubleshoot-issues-that-you-encounter-when-you-sign-in-to-offi

 

How to troubleshoot issues that you encounter when you sign in to Office apps for Mac, iPad, iPhone, or iPod Touch when using Active Directory Federation Services

INTRODUCTION

This article contains information about how to troubleshoot problems that affect the ability to sign in to Microsoft Office apps for Mac, iPad, iPhone, or iPod Touch. This article also contains resources for IT administrators to address reports about Active Directory Federation Services (AD FS) issues that are specific to Office for Apple iOS and Mac platforms.

Issue Recommendation
Issue 1: “Unknown Auth method” message when you try to sign in to an Office app for iOS or Mac To resolve this issue, your administrator must contact the provider of your non-Microsoft federation server to verify the configuration.
Issue 2: “An error occurred. Contact your administrator” message when you try to sign in to an Office app for iOS or Mac To resolve this issue, contact your administrator and point to this article.
Issue 3: “An error has occurred, invalid SAML token” error message when you try to sign in to an Office app for iOS or Mac To resolve this issue, contact your administrator and point to this article.
Issue 4: “There is problem with your account, please try again later“ error message when you try to sign in to an Office app for iOS or Mac Users can update to the latest version of the Mac or iOS apps that are available. If this does not resolve the issue, contact your administrator and point to this article.
Issue 5: The sign-in page continually reappears when you try to sign in to any of the Office 365 apps for iOS or Mac To resolve this issue, contact your administrator and point to this article.

MORE INFORMATION

Issue 1: “Unknown Auth method” message when you try to sign in to an Office app for iOS or Mac

This error can occur in a topology where an enterprise has federated an AD FS server with Azure Active Directory for signing in to Office 365, and further federated the AD FS server with another non-Microsoft federation server such as Shibboleth. When Mac and iOS Office applications sign in, Azure Active Directory sends a parameter in the sign-in request to AD FS that requests forms authentication. When AD FS relays this request to the non-Microsoft federation server, it may be unable to interpret this parameter and it may display an error to the user, even before they are asked to sign in.

To resolve this issue, contact the provider of your non-Microsoft federation server.

Issue 2: “An error occurred. Contact your administrator” message when you try to sign in to an Office app for iOS or Mac

Users can’t sign in if the tenant uses AD FS and forms-based authentication is turned off on the AD FS server. They receive the following error message:

An error occurred

An error occurred. Contact your administrator for more information.

Error details

  • Activity ID: 00000000-0000-0000-c32d-00800000005e
  • Relying party: Microsoft Office 365 Identity Platform
  • Error time: <Date> <Time>
  • Cookie: enabled
  • User agent string: Mozilla/5.0 (Windows NT 6.3;WOW64)
    AppleWebKit/537.36 (KHTML, like Gecko)
    Chrome/38.0.2125.111 Safari/537.36

In certain AD FS configurations, the administrator may not have forms-based authentication enabled on the AD FS server. This prevents Mac clients from logging in as required by the authentication process.

To resolve this issue, set up AD FS to use forms-based authentication as the secondary form of authentication. To do this, follow the appropriate steps for the version that you use.

Note The currently configured authentication methods can remain unchanged. For example, if Windows Integrated Authentication is configured as the primary authentication method, it can remain configured this way.

If you use AD FS 2.0

Enable forms-based authentication by using the steps in the following Microsoft TechNet topic:

If you use AD FS in Windows Server 2012 R2

Follow these steps:

  1. In Server Manager on the AD FS 3.0 server, click Tools, and then select AD FS Management.
  2. In the AD FS snap-in, click Authentication Policies.
  3. In the Primary Authentication section, click Edit next to Global Settings.
  4. In the Edit Global Authentication Policy dialog box, click the Primary tab, and then under Extranet and under Intranet, click to select the Forms Authentication check box.Screen shot of the Edit Global Authentication Policy dialog box, showing the Forms Authentication check boxes

Issue 3: “An error has occurred, invalid SAML token” error message when you try to sign in to an Office app for iOS or Mac

When you try to sign in, you receive the following error message:

An error has occurred, invalid SAML token.

The complete error may resemble the following:

We received a bad request.
Additional technical information:
Correlation ID: 82121251-3634-4afb-8014-fb5298d6f2c9
Timestamp: 2014-11-01 00:25:35Z
AADSTS50008: SAML token is invalid

This is a known Azure Active Directory issue. A fix is expected to become available soon. In the meantime, you can run the following Windows PowerShell script to resolve the issue.

Note You must run the PowerShell script one time for each affected federated domain.

  1. Make sure that you have the latest Azure Active Directory Module for Windows PowerShell. For more information, go to the following Microsoft Office website:
  2. Run the following command in PowerShell on the AD FS server:
    Update-MsolFederatedDomain -DomainName [verified domain]

Issue 4: “There is problem with your account, please try again later“ error message when you try to sign in to an Office app for iOS or Mac

Administrators who have configured AD FS 2012 R2 to let users sign in by using an alternative user identifier, such as their email address, may experience this error. Users typically sign in by using their user principal name (UPN). We are working on an update to the Mac and iOS applications to support signing in by using an alternative user identifier.

To resolve this issue, update to the latest version of Mac and iOS apps. Verify the configuration of AD FS 2012 R2 to let users sign in by using an alternative user identifier.

Issue 5: The sign-in page continually reappears when you try to sign in to any of the Office 365 apps for iOS or Mac

Important Because of a temporary mitigation in Azure Active Directory, some users who have successfully signed in between October 30, 2014 and December 2, 2014 may start experiencing this issue after December 2, 2014. Make sure that the update that’s mentioned in this section is installed.

When a user signs in to any of the Office 365 apps for iOS or Mac, the user enters their user name and password on the sign-in page and the sign-in page reappears and prompts the user for their user name and password again. This problem can occur if you’re using an AD FS 2.0 server that’s missing critical updates. Install the update that’s documented in the following Microsoft Knowledge Base article on the AD FS 2.0 server:

2989956 Several issues after you install security update 2843638 or 2843639 on an AD FS server

Single Post Navigation

Leave a comment