Home

Azure AD Federated with AD FS Issue

%3CLINGO-SUB%20id%3D%22lingo-sub-862468%22%20slang%3D%22en-US%22%3EAzure%20AD%20Federated%20with%20AD%20FS%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-862468%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20AD%20FS%203.0%20(Windows%20Server%202012%20R2%2C%201x%20AD%20FS%20server%20and%201%20x%20Web%20App%20server).%20We%20are%20setting%20up%20new%20Azure%20AD%20Connect%20to%20sync%20the%20users%20to%20Azure%20AD%20and%20federate%20Azure%20AD%20with%20this%20local%20AD%20FS%20farm.%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20the%20initial%20configuration%20for%20the%20Azure%20AD%20Connect%2C%20the%20federation%20had%20been%20completed%2C%20but%20there%20was%20no%20relaying%20party%20for%20Office%20365%20created%20in%20AD%20FS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20to%20update%20or%20reset%20the%20federation%20using%20Azure%20AD%20Connect%20wizard.%20It%20was%20stuck%20and%20kept%20retrying%20the%20update-msolfederateddomain%20command%20where%20I%20could%20see%20from%20the%20log.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20tried%20to%20covert%20it%20to%20managed%20domain%20with%20password%20hash%20sync%2C%20then%20coverted%20it%20again%20from%20Azure%20AD%20Connect%2C%20it%20was%20stuck%20at%20convert-msoldomaintofederated%20from%20what%20I%20could%20see%20in%20the%20log.%20No%20relaying%20party%20was%20created%20in%20AD%20FS.%20The%20only%20error%20logs%20in%20AD%20FS%20admin%20event%20log%20are%20%22urn%3Afederatioin%3Amicrosoftonline%20counld%20not%20be%20fulfileed%20becaue%20thekey%20does%20not%20identiy%20an%20known%20relaying%20party%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVerified%20that%20WinRM%20is%20enabled%20on%20AD%20FS%20server.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETried%20to%20run%20convert-msoldomaintofederated%20command%20on%20AD%20FS%20server%20itself.%20It%20encountered%20407%20error%20first%20due%20to%20proxy.%20After%20I%20added%20proxy%20configure%20to%20machine.config%20file%2C%20it%20hit%20another%20error%20says%20%22get-adfsrelyingpartytrust%20comexception...%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGetting%20bit%20frustrated%20now.%20If%20you%20had%20similar%20experience%2C%20please%20advise.%20Any%20help%20will%20be%20much%20appreciated.%20Thanks.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-862468%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ead%20fs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFederation%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-862578%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Federated%20with%20AD%20FS%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-862578%22%20slang%3D%22en-US%22%3E%3CP%3EHard%20to%20troubleshoot%20without%20having%20access%20to%20your%20server%2C%20event%20logs%20and%20so%20on.%20I'd%20suggest%20open%20a%20support%20case%20and%20work%20with%20the%20engineer%20to%20resolve%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20for%20converting%20the%20domain%2C%20you%20can%20try%20the%20alternative%20approach%20via%20the%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESet-MsolDomainAuthentication%3C%2FFONT%3E%20cmdlet%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmsonline%2Fset-msoldomainauthentication%3Fview%3Dazureadps-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmsonline%2Fset-msoldomainauthentication%3Fview%3Dazureadps-1.0%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-862854%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Federated%20with%20AD%20FS%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-862854%22%20slang%3D%22en-US%22%3EThanks%20Vasil.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-863203%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Federated%20with%20AD%20FS%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863203%22%20slang%3D%22en-US%22%3EWould%20you%20happen%20to%20be%20doing%20any%20SSL%20termination%20on%20your%20proxy%20or%20load%20balancers%3F%20If%20so%20it%20could%20cause%20issues%20like%20this.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foverview%2Fad-fs-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foverview%2Fad-fs-faq%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-864041%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Federated%20with%20AD%20FS%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-864041%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Rosaliod.%20I%20will%20take%20a%20look.%3CBR%20%2F%3EBut%20from%20the%20other%20side%2C%20it%20might%20not%20be%20related%20as%20I%20tried%20to%20convert%2Fconfigure%20Azure%20AD%20to%20federate%20with%20AD%20FS%20from%20Azure%20AD%20Connect%20Server%20with%20no%20luck%20and%20time%20out%2C%20which%20doesn't%20use%20proxy%20server%20at%20all.%3CBR%20%2F%3E%3CBR%20%2F%3EMany%20thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
YU Yang
Occasional Contributor

We have AD FS 3.0 (Windows Server 2012 R2, 1x AD FS server and 1 x Web App server). We are setting up new Azure AD Connect to sync the users to Azure AD and federate Azure AD with this local AD FS farm. 

During the initial configuration for the Azure AD Connect, the federation had been completed, but there was no relaying party for Office 365 created in AD FS.

 

I have tried to update or reset the federation using Azure AD Connect wizard. It was stuck and kept retrying the update-msolfederateddomain command where I could see from the log.

 

I had tried to covert it to managed domain with password hash sync, then coverted it again from Azure AD Connect, it was stuck at convert-msoldomaintofederated from what I could see in the log. No relaying party was created in AD FS. The only error logs in AD FS admin event log are "urn:federatioin:microsoftonline counld not be fulfileed becaue thekey does not identiy an known relaying party"

 

Verified that WinRM is enabled on AD FS server. 

 

Tried to run convert-msoldomaintofederated command on AD FS server itself. It encountered 407 error first due to proxy. After I added proxy configure to machine.config file, it hit another error says "get-adfsrelyingpartytrust comexception..."

 

Getting bit frustrated now. If you had similar experience, please advise. Any help will be much appreciated. Thanks. 

4 Replies

Hard to troubleshoot without having access to your server, event logs and so on. I'd suggest open a support case and work with the engineer to resolve this.

 

As for converting the domain, you can try the alternative approach via the Set-MsolDomainAuthentication cmdlet: https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainauthentication?view=azurea...

Thanks Vasil.
Would you happen to be doing any SSL termination on your proxy or load balancers? If so it could cause issues like this.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq

Thanks Rosaliod. I will take a look.
But from the other side, it might not be related as I tried to convert/configure Azure AD to federate with AD FS from Azure AD Connect Server with no luck and time out, which doesn't use proxy server at all.

Many thanks.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
7 Replies