Troubleshooting Scenarios

WS-Trust and WS-Federation Scenarios

Issue in Setting Up a Domain for Federation

If you try to set a primary domain for federation by running the Set­MsolDomainAuthentication command, it throws the following error:

Set­MsolDomainAuthentication: You cannot remove this domain as the default domain without replacing it with another default domain. Use the Set­MsolDomain cmdlet to set another domain as the default domain before you delete this domain.

To fix this issue, change the default domain by performing the following steps:

  1. In the Office 365 portal, click Organization Name on the Admin page.

  2. Click Edit.

  3. Select a new default domain.

Set-MsolDomainAuthentication: You cannot remove this domain as the default domain without replacing it with another default domain

This error indicates that you attempted to delete the default domain without replacing it with another domain.

Use the Set-MsolDomain cmdlet to set another domain as the default domain before you delete this domain.

After upgrading iOS Apps to the Latest Version, Single Sign-On to Office 365 Services Fail

To establish single sign-on from iOS apps to Office 365 services, perform the following steps:

  1. Click Devices > Identity Servers > Edit > Local > Contract.

  2. Specify a name to identity the contract.

  3. Specify the URI as http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password.

  4. Select Name/Password - Form - WebService method.

SAML 2.0 Scenarios

SSO to MicroSoft Services Fails

SSO fails at Microsoft with this error:

Your organization could not sign you in to this service

Perform the following steps to fix this issue:

  • Verify that the attributes are configured properly.

    You can also use the SAML tracer plug-in Firefox to review the SAML assertion sent to Office365.

  • Verify that federation settings are using the Get­MsolDomainFederationSettings ­ DomainName <YOUR DOMAIN> command.

Issue in Setting Up a Domain for Federation

If you try setting up a primary domain for federation by running the Set­MsolDomainAuthentication command, it throws the following error:

Set­MsolDomainAuthentication: You cannot remove this domain as the default domain without replacing it with another default domain. Use the Set­MsolDomain cmdlet to set another domain as the default domain before you delete this domain.

To fix this issue, change the default domain by performing the following steps:

  1. In the Office 365 portal, click Organization Name on the Admin page.

  2. Click Edit.

  3. Select a new default domain.

Office 365 Domain Scenarios

Issues with the Directory Synchronization Tool
  • If the installation of the Directory Synchronization tool fails, check the Event Viewer. Installation may fail if the Microsoft Online Service Sign­In Assistant is already installed on the system.

  • If you need to uninstall the Directory Synchronization tool, log off and then login.

  • If the Directory Synchronization tool is slow, increase RAM of the server.

Active Profile Authentication Fails for Microsoft Exchange Clients

If the active profile authentication fails for Microsoft Exchange (Outlook) clients, verify that the necessary DNS records have been added to your DNS.

Microsoft Online Services Sign-In Assistant Installation Fails If Microsoft Office Professional Plus Is Installed

Manually install Microsoft Online Services Sign-In Assistant, if its installation fails after installing Microsoft Office Professional Plus with this message:

"The Microsoft Online Services Sign In Assistant has experience an error. The error must be resolved before your subscription for this product can be verified. To retry subscription verification, first resolve error message 800704DD or try to manually install the Microsoft Online Services Sign In Assistant...." 

After installation is complete, relaunch the service to verify your Office 365 license.

Single Sign-On to Office 365 Domain Fails

If single sign-on fails, ensure that the ImmutableID and the User Principal Name (UPN) matches the Office 365 user. To get Office 365 user details, log in to using Powershell and execute the following command:

Get-MsolUser -UserPrincipalName user1@namtest.com | fl *

No License to Use Office 365 Services

If you receive an error stating that the user does not have license to use Office365, Log in to Office 365 as an administrator and assign required service licenses to the user.

After Initial Successful Authentication, Unending Loop While Logging into Lync Using Wrong Username and Password

After successfully authenticating to the Office 365 client, if you attempt to log in to the Lync client by using an incorrect username and password, the Lync client uses the details from the previous successful session and tries to get a token from Access Manager. This results in an unending loop.

To resolve this issue, in the Lync client user interface, select the Delete my sign-in info option and log in again.

Single Sign-on Fails in Skype for Business 2016

Issue: Single sign-on to Skype for Business 2016 fails using the Identity Server login page. This issue occurs because Skype for Business 2016 is not compatible with the higher version of jQuery. Access Manager uses a higher version of jQuery to prevent security vulnerabilities.

Fix: To fix this issue, you must replace the higher version of jQuery with lower version (not recommended) by running the following commands in /opt/novell/nam/idp/webapps/nidp/javascript/:

$mv jquery.min.js jquery.min_backup.js

$mv jquery_old.min.js jquery.min.js