Cloud Services Thread, Office 365 ADFS SSO Problem in Technical; I have got a case open with Microsoft about this but I thought I'd put it to the Edugeek hive ...
15th April 2013, 12:39 PM #1
Office 365 ADFS SSO Problem
I have got a case open with Microsoft about this but I thought I'd put it to the Edugeek hive mind to see if anyone has had a similar issue and solved it.
We're setting up Office 365 for our staff and students. I'm not sure what exactly we're going to do with it but you know, it's cloud so it must be good. We want to set it up for SSO so our users don't have to remember yet another username and password. To that end, I've set up a pair of W2012 servers with the ADFS role on one and the ADFS proxy role on the other and set up a relying party trust between it and Azure. I've made the lutonsfc.ac.uk domain a federated one.
Users can sign onto O365 on external PCs, i.e. over the internet. Users can sign onto O365 using the ADFS server itself. However, when someone tries to sign onto O365 from inside the network, they get a what looks like a Windows authentication prompt asking for credentials. You put in your network username and password and it pops up again. The connectivity tests at https://www.testexchangeconnectivity.com/ all pass so it looks like federation is working OK and that my certificates are correct.
I'm at a loss and I don't know what to try next! It has to be some stupid little IIS setting because otherwise you wouldn't be able to sign on from the outside or on the ADFS server. Any suggestions?
Just tried it in Firefox, it works! Firefox doesn't support a lot of the Windows authentication methods that IE and Chrome do so maybe it isn't IIS, maybe it's a security setting in IE.
Turning off integrated authentication in IE allows you to sign in. And it doesn't even ask for authentication. WTF?
Last edited by Norphy; 15th April 2013 at 01:06 PM.
IDG Tech News
15th April 2013, 03:33 PM #2
Microsoft called me back today and gave me the solution.
On both the ADFS server and ADFS proxy, you need to turn off the Negotiate authentication provider on the Windows authentication method for the ADFS/LS Application. Doing that solved the problem! Now to get Lync working through or around the firewall!
15th April 2013, 09:05 PM #3
I am pleased that you managed to get this resolved, I have not had chance to reply back to you today but that is indeed correct, also note that it is recommended under the adfs/ls node in IIS you right click Windows Authentication under Authentication and choose Advanced Settings. Turn off Extended Protection..
-Edit- For Reference, The latter setting is generally related to browsers such as Chrome/Firefox etc. NOT Internet Explorer which does support Extended Protection unlike the other browsers.
Last edited by EduTech; 15th April 2013 at 10:04 PM.
Thanks to EduTech from:
Roberto (15th April 2013)
15th April 2013, 09:56 PM #4
Where can I find that? Is it within the IIS settings for the ADFS site?
Originally Posted by Norphy
15th April 2013, 10:07 PM #5
Open IIS > Select Your Default Web Site > ADFS > LS and then select Authentication > Click on Windows Authentication > Select Providers from the right hand-side > Remove Negotiate.
18th September 2013, 05:00 PM #6
Late to the party I know but as an interesting addition to this topic, I have the extended protection enabled on the IIS server and the only problem I was having with regards SSO was when using Firefox. It would still prompt for a logon when attempting to access the email. To solve this while still leaving the protection on I did this:
In firefox, type in the URL of about:config
Do a search for "network.automatic-ntlm-auth.trusted.uris" , then add the url of the adfs server to the string i.e. adfs.school.sch.uk
Closed Firefox and re-opened and SSO worked fine!
18th September 2013, 05:21 PM #7
not knocking adfs, but with the latest flavor of dirsync with password sync you get the same username/ password in the cloud as on premise and really it is a much simpler design. We just switched from adfs.
18th September 2013, 05:23 PM #8
True, I did look at that myself. However the powers that be wanted full SSO so that's what they got.
By themightymrp in forum Cloud Services
Last Post: 9th May 2013, 01:27 PM
By mattpant in forum Cloud Services
Last Post: 26th February 2013, 02:59 PM
By Mr_Jiminy in forum Cloud Services
Last Post: 19th December 2012, 10:22 PM
By Simcfc73 in forum Cloud Services
Last Post: 10th November 2012, 01:31 AM
By Fruity in forum Cloud Services
Last Post: 9th August 2012, 04:45 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)