We wanted to write this blog post as we have seen time and time again organizations that have deployed ADFS to work with Office 365, and when the ADFS infrastructure is no longer functioning, our clients are dead in the water and are at the mercy of someone with knowledge in AD FS to bring their business back to functioning.

However, many components to ADFS are actually quite simple, so the purpose of this post is to go through some of the things that may fail or break with ADFS and the steps you can use to correct the issue. The following points will be broken down into the experiences you will encounter with ADFS.

A. Internal ADFS server with ADFS proxy publishing ADFS to the internet:

“There was a problem accessing the site.” Internal Authentication works, external does not.

This issue describes that the proxy server cannot establish a secure communication with our backend ADFS server. If you can authenticate internally directly against the ADFS server, but outside users cannot authenticate against the proxy, check the following on the proxy server:

  1. The system clock on the proxy server is not off by more than 5 minutes in relation to the ADFS server.
  2. The service account used by the proxy to obtain configuration data from ADFS is not expired/deleted/had their password reset.
  3. The proxy server can correctly resolve your ADFS service name and the corresponding IP address returned is correct.

B. Internal AD FS server with AD FS proxy publishing ADFS to the internet:

“There was a problem accessing the site.” Both internal and external users cannot authenticate.

If working previously, this may be related to the Certificates on the machines:

  1. Ensure the token signing certificate is not expired. Open ADFS management, go to certificates on the left, and examine the token signing certificate. See “Update trust properties” at http://technet.microsoft.com/en-us/library/jj151809.aspx
  2. Ensure your SSL certificate is also not expired.
  3. IF these look correct, test authentication on the ADFS server. If that succeeds, try an internal workstation, if that succeeds, move to an external workstation, so that you test authentication from the inside out.
  4. Depending on where you cannot authentication(Internal/external) you will need to check Event viewer on either the ADFS server or the ADFS proxy (Or just the ADFS server if you do not have a proxy). Once you have an event ID, can correlate it here: http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(v=ws.10).aspx

C. Single ADFS server, cannot authenticate. ADFS server is unreachable.

  1. Ensure that port 443 inbound is correctly NAT’d to the ADFS server for the ADFS service name (sts.contoso.com)
  2. You can test this by doing a certificate test at www.digicert.com/help
  3. If you installed your SSL, but not getting results back from the above link, make sure the SSL cert is binded to port 443 and that port 443 inbound is reaching that ADFS server.
  4. If you can access the O365 Portal internally on the corp network, but cannot log in via ADFS externally, or if Outlook/ActiveSync authentication is not working, the issue resides with external routing to the ADFS server.

This was a quick overview of some simple things that you can check yourself without any ADFS experience. Obviously, there may be issues with ADFS not covered in this quick guide, and you may need to reach out to someone with ADFS experience. However, you can find some more information on troubleshooting ADFS at the following links:

Problem Accessing the Site
Verify and manage single sign-on with AD FS
Verify and manage single sign-on with AD FS
Troubleshooting AD FS
Troubleshooting certificate problems with AD FS 2.0 
AD FS 2.0 Troubleshooting Guide

Was this article helpful?