Using The Remote Connectivity Analyzer When you cannot use your Microsoft Office 365 federated credentials to authenticate Microsoft Outlook to Exchange Online
After being on the road for a couple of weeks when I got home my Outlook wouldn't authenticate via ADFS2 but I could login via the Portal and Lync worked without any issues. I traced the issue to a certificate error using MOSDAL. However, it was only a certificate issue due to my router blocking port 443. So I have taken this opportunity to provide a few resources from MOSDAL and the Office 365 Support Team. If your having issues with authentication or general configuration issues .
If you review URL (http://support.microsoft.com/kb/2466333) it provides a few test test and possible solution. You cannot use your Microsoft Office 365 federated credentials to authenticate Microsoft Outlook or Microsoft Exchange ActiveSync by using a smartphone to Exchange Online services. However, since port 443 was blocked my phone didn't sync either.
Use Microsoft Exchange Remote Connectivity Analyzer to test whether the on-premises AD FS 2.0 service is causing Outlook logon problems for single sign-on (SSO)-enabled users. To do this, follow these steps:
- In Internet Explorer, browse to https://testexchangeconnectivity.com.
- On the Office 365 tab, under Microsoft Office Outlook Connectivity Tests, click Outlook Anywhere (RPC over HTTP), and then click Next.
- Type the email address and credentials, click to select the acknowledgement check box near the bottom of the page, type the verification code, and then click Perform Test. This test should be run two times. Run the test by using the following credentials:
- An SSO-enabled user account that has a mailbox in Exchange Online
- A standard user account that has a mailbox in Exchange Online
Verify the results of both tests to determine whether AD FS 2.0 is causing the Outlook sign-in issue.
- a. Drill down to the following node of the Test Details tree:
- Testing RPC/HTTP connectivity
- - ExRCA is attempting to test Autodiscover for john@contoso.com
- - Attempting each method of contacting the Autodiscover service
- - Attempting to contact the Autodiscover service using the HTTP redirect method
- - Attempting to send an Autodiscover POST request to potential Autodiscover URLs
- - ExRCA is attempting to retrieve an XML Autodiscover response from URL htts://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user
-
b. Check whether the following conditions are true: -
The SSO-enabled user account cannot access Autodiscover and receives an "HTTP 401 authorized response" error message. The standard user account can access Autodiscover. If both conditions are true, you have confirmed that SSO failures are causing Outlook authentication to fail.
You have a couple of choices when running the tool and its invaluable in resolving a number of issues. I chose to run the Office 3665 SSO Test..
Microsoft Remote Connectivity Analyzer - https://testexchangeconnectivity.com.
![clip_image001[4]](http://msmvps.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/ivansanders.metablogapi/5023.clip_5F00_image0014_5F00_thumb_5F00_12DE2FC5.png "clip_image001[4]")
Microsoft Remote Connectivity Analyzer Office 365
![clip_image002[4]](http://msmvps.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/ivansanders.metablogapi/8053.clip_5F00_image0024_5F00_thumb_5F00_17743A7F.png "clip_image002[4]")
Microsoft Remote Connectivity Analyzer Office 365 SSO Sign-In
![clip_image003[4]](http://msmvps.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/ivansanders.metablogapi/2047.clip_5F00_image0034_5F00_thumb_5F00_1C76782E.png "clip_image003[4]")
Microsoft Remote Connectivity Analyzer In Progress
![clip_image004[4]](http://msmvps.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/ivansanders.metablogapi/4062.clip_5F00_image0044_5F00_thumb_5F00_1ECFFA2C.png "clip_image004[4]")
Microsoft Remote Connectivity Analyzer Passed with a warning
![clip_image005[4]](http://msmvps.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/ivansanders.metablogapi/1385.clip_5F00_image0054_5F00_thumb_5F00_71DA9750.png "clip_image005[4]")
Microsoft Remote Connectivity Analyzer MSOL Resolved
![clip_image006[4]](http://msmvps.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/ivansanders.metablogapi/2308.clip_5F00_image0064_5F00_thumb_5F00_377F216F.png "clip_image006[4]")
In addition, I have included a few references on ADFS2, DirSync and Office 365 in general below
| Active Directory Federation Services 2.0 Related Resources |
| View KB | How to use custom URLs to enable a transparent single sign-on experience for identity federation in an Office 365 environment |
| View KB | You cannot assign a federated domain to a user in the Microsoft Online Portal |
| View KB | "Your organization could not sign you in to this service" error message occurs when a user tries to sign in to Microsoft Online Portal as a federated user |
| View KB | You cannot connect to Microsoft Online Services by using the Identity Federation Management tool |
| View KB | A federated user is prompted for credentials or cannot sign in to Microsoft Online Services |
| View KB | A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource |
| View KB | A Federated user is repeatedly prompted for credentials, and then the user cannot connect to Microsoft Office 365 |
| View KB | How to reestablish trust with the Microsoft Online Services ID service after the AD FS 2.0 server stops responding |
| View KB | Troubleshooting AD FS 2.0 federation services published directly to the Internet using a firewall device instead of an ADFS Proxy server |
| View KB | A sub-domain does not inherit the changes that are made to the top-level domain in Office 365 |
| View KB | A token-signing certificate has expired or was renewed for Office 365 Identity Federation |
| View KB | You are prompted to enter your user name and password when you connect to Office 365 resources using a rich-client application |
| View KB | Firewall prevents users from using Office 365 services from rich clients |
| View KB | Internet Explorer cannot display the Office 365 portal webpage when a federated user tries to sign in |
| View KB | You are repeatedly prompted for credentials when you try to log in to the AD FS 2.0 service endpoint in Office 365 |
| View KB | Active Directory Federation Services 2.0 hotfix information for Microsoft Lync and Office Professional Plus sign-in issues in the Office 365 environment |
| View KB | You cannot open the Microsoft Online Services Module for Windows PowerShell |
| View KB | Federated users cannot connect to an Exchange Online mailbox |
| View KB | How to change the ADFS 2.0 service communications certificate after it expires |
| View KB | Users cannot sign out of Office 365 web services |
| View KB | Office 365 Identity Federation service implications of AD FS 2.0 implementation scenarios |
| View KB | Domain name requirements to set up a federated domain for Office 365 identity or Exchange federation (rich coexistence) |
| View KB | You receive a certificate warning when you try to access Microsoft Office 365 resources by using an identity-federated account |
| View KB | How to troubleshoot identity federation user account issues in the Office 365 environment |
| View KB | How to troubleshoot Identity Federation client devices in Office 365 |
| View KB | The "500" error code is returned when you send an HTTP SOAP request to the "/adfs/services/trust/mex" endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008 |
| View KB | An identity-provider-initiated sign-on process is slow in Windows Server 2008 R2 and in Windows Server 2008 |
| DirSync Tool Related Resources |
| View KB | Error message in the Microsoft Online Services Directory Synchronization tool in Microsoft Office 365: "Your version of the Microsoft Online Services Directory Synchronization Configuration Wizard is outdated" |
| View KB | Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard in Office 365: "The user name must be provided in valid UPN format" |
| View KB | Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard: "Your credentials could not be authenticated. Retype your credentials and try again" |
| View KB | "LogonUser() Failed with error code: 1789" after you enter enterprise administrator credentials in the Directory Synchronization Configuration Wizard in Office 365 |
| View KB | Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard: "The Enterprise Administrator credentials that you supplied are not valid. Supply valid credentials and try again" |
| View KB | Error 012 when you run the Directory Synchronization tool in an Office 365 environment |
| View KB | Firewall prevents users from using Office 365 services from rich clients |
| View KB | "The computer must be joined to a domain" error message occurs when you try to install Microsoft Online Services Directory Synchronization Tool |
| View KB | Microsoft Online Services attributes for Exchange Rich-Coexistence are not written back to the on-premises Active Directory directory service when you use the Online Services Directory Synchronization tool |
| View KB | List of attributes that are synchronized to Office 365 and attributes that are written back to the on-premises Active Directory Domain Services |
| View KB | Process for using Microsoft Online Services Directory Synchronization Tool in Office 365 |
| Related Knowledge Base Articles |
| View KB | Outlook 2007 takes longer than expected to show free/busy for meeting participants |
| View KB | Outlook 2007: Troubleshooting Outlook Crashes |
| View KB | How to troubleshoot performance issues in Outlook 2007 |
| Related TechNet & Office Online Articles |
| View Article | Autodiscover and Outlook Anywhere Issues |
| View Article | Troubleshooting Free/Busy Information for Outlook 2007 |
| View Article | Understanding the Performance Impact of High Item Counts and Restricted Views |
| View Article | Troubleshooting Microsoft Outlook Start Up Issues |
| View Article | Scan and repair corrupted Outlook data files |
| View Forum | Microsoft Online Services Dedicated Solution Forum |
| Other Resources for Outlook 2007 |
| View Help | Outlook 2007 Solution Center |
| View Help | Help for Outlook 2007 |
| View Courses | Online courses for Outlook 2007 |
| View Thread | Outlook 2007 Prompts for Credentials Continually (user is connected to Exchange) |
| View Article | What is the Enable logging (troubleshooting) option? |
| Other Resources for Outlook 2003 |
| View | Outlook 2003 Solution Center |
| View Help | Outlook 2003 Help and How-to - from Microsoft Office Online |
| View Courses | Outlook 2003 Courses |
Happy Holliday's,
-Ivan