+ Post New Thread
Results 1 to 8 of 8
Cloud Services Thread, Office 365 ADFS SSO Problem in Technical; I have got a case open with Microsoft about this but I thought I'd put it to the Edugeek hive ...
  1. #1
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,227
    Thank Post
    50
    Thanked 271 Times in 209 Posts
    Blog Entries
    6
    Rep Power
    108

    Office 365 ADFS SSO Problem

    I have got a case open with Microsoft about this but I thought I'd put it to the Edugeek hive mind to see if anyone has had a similar issue and solved it.

    We're setting up Office 365 for our staff and students. I'm not sure what exactly we're going to do with it but you know, it's cloud so it must be good. We want to set it up for SSO so our users don't have to remember yet another username and password. To that end, I've set up a pair of W2012 servers with the ADFS role on one and the ADFS proxy role on the other and set up a relying party trust between it and Azure. I've made the lutonsfc.ac.uk domain a federated one.

    Users can sign onto O365 on external PCs, i.e. over the internet. Users can sign onto O365 using the ADFS server itself. However, when someone tries to sign onto O365 from inside the network, they get a what looks like a Windows authentication prompt asking for credentials. You put in your network username and password and it pops up again. The connectivity tests at https://www.testexchangeconnectivity.com/ all pass so it looks like federation is working OK and that my certificates are correct.

    I'm at a loss and I don't know what to try next! It has to be some stupid little IIS setting because otherwise you wouldn't be able to sign on from the outside or on the ADFS server. Any suggestions?

    Cheers!

    /edit

    Just tried it in Firefox, it works! Firefox doesn't support a lot of the Windows authentication methods that IE and Chrome do so maybe it isn't IIS, maybe it's a security setting in IE.

    Argh!

    /edit 2

    Turning off integrated authentication in IE allows you to sign in. And it doesn't even ask for authentication. WTF?
    Last edited by Norphy; 15th April 2013 at 12:06 PM.

  2. #2
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,227
    Thank Post
    50
    Thanked 271 Times in 209 Posts
    Blog Entries
    6
    Rep Power
    108
    Microsoft called me back today and gave me the solution.

    On both the ADFS server and ADFS proxy, you need to turn off the Negotiate authentication provider on the Windows authentication method for the ADFS/LS Application. Doing that solved the problem! Now to get Lync working through or around the firewall!

  3. #3

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,037
    Thank Post
    160
    Thanked 908 Times in 712 Posts
    Blog Entries
    3
    Rep Power
    270
    Hi,

    I am pleased that you managed to get this resolved, I have not had chance to reply back to you today but that is indeed correct, also note that it is recommended under the adfs/ls node in IIS you right click Windows Authentication under Authentication and choose Advanced Settings. Turn off Extended Protection..

    -Edit- For Reference, The latter setting is generally related to browsers such as Chrome/Firefox etc. NOT Internet Explorer which does support Extended Protection unlike the other browsers.

    Regards,
    James.
    Last edited by EduTech; 15th April 2013 at 09:04 PM.

  4. Thanks to EduTech from:

    Roberto (15th April 2013)

  5. #4

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,088
    Thank Post
    402
    Thanked 618 Times in 565 Posts
    Rep Power
    180
    Quote Originally Posted by Norphy View Post
    Microsoft called me back today and gave me the solution.

    On both the ADFS server and ADFS proxy, you need to turn off the Negotiate authentication provider on the Windows authentication method for the ADFS/LS Application. Doing that solved the problem! Now to get Lync working through or around the firewall!
    Where can I find that? Is it within the IIS settings for the ADFS site?
    @EduTech

  6. #5

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,037
    Thank Post
    160
    Thanked 908 Times in 712 Posts
    Blog Entries
    3
    Rep Power
    270
    Open IIS > Select Your Default Web Site > ADFS > LS and then select Authentication > Click on Windows Authentication > Select Providers from the right hand-side > Remove Negotiate.

    Regards,
    James.

  7. #6
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,182
    Thank Post
    206
    Thanked 221 Times in 190 Posts
    Rep Power
    72
    Late to the party I know but as an interesting addition to this topic, I have the extended protection enabled on the IIS server and the only problem I was having with regards SSO was when using Firefox. It would still prompt for a logon when attempting to access the email. To solve this while still leaving the protection on I did this:

    In firefox, type in the URL of about:config

    Do a search for "network.automatic-ntlm-auth.trusted.uris" , then add the url of the adfs server to the string i.e. adfs.school.sch.uk

    Closed Firefox and re-opened and SSO worked fine!

  8. #7
    the_dude's Avatar
    Join Date
    Nov 2012
    Location
    SoCal
    Posts
    82
    Thank Post
    0
    Thanked 16 Times in 11 Posts
    Rep Power
    6
    not knocking adfs, but with the latest flavor of dirsync with password sync you get the same username/ password in the cloud as on premise and really it is a much simpler design. We just switched from adfs.

  9. #8
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,182
    Thank Post
    206
    Thanked 221 Times in 190 Posts
    Rep Power
    72
    True, I did look at that myself. However the powers that be wanted full SSO so that's what they got.

SHARE:
+ Post New Thread

Similar Threads

  1. Office 365 with SSO availability question
    By themightymrp in forum Cloud Services
    Replies: 33
    Last Post: 9th May 2013, 12:27 PM
  2. Office 365 ADFS - Sign Out URL Redirect
    By mattpant in forum Cloud Services
    Replies: 0
    Last Post: 26th February 2013, 01:59 PM
  3. Office 365 connection problems...
    By Mr_Jiminy in forum Cloud Services
    Replies: 4
    Last Post: 19th December 2012, 09:22 PM
  4. Office 365 and SSO
    By Simcfc73 in forum Cloud Services
    Replies: 1
    Last Post: 10th November 2012, 12:31 AM
  5. Office 365 - @students sub domain and SSO Question
    By Fruity in forum Cloud Services
    Replies: 2
    Last Post: 9th August 2012, 03:45 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •