Personne n’a répondu à cette discussion depuis au moins un an. Par conséquent, ces informations peuvent être obsolètes. Si vous recherchez des informations sur ce sujet, recherchez une discussion plus récente ou publiez une nouvelle question.

Issues setting up ADFS

This question is answered This question is answered

Hi all.  I'm setting up ADFS according to the steps given, and have run into an issue.  Everything went fine up to the point of setting up the trust (step 3).


I'm using a Windows 7 x64 machine to run the Microsoft Online Services Module.  The commands go something like this:

  1. $cred=Get-Credential - Works fine
  2. Connect-MsolService -Credential $cred - Works fine
  3. Set-MsolAdfscontext -Computer [SERVER FQDN] - Works fine
  4. New-MsolFederatedDomain -DomainName [DOMAIN] - Error:
    New-MsolFederatedDomain : Access denied.
    At line:1 char:24
    + New-MsolFederatedDomain <<<<  -DomainName [DOMAIN]
        + CategoryInfo          : PermissionDenied: (:) [New-MsolFederatedDomain],
        FederationException
        + FullyQualifiedErrorId : AccessDeniedToMicrosoftOnlineServices,Microsoft.
       Online.Identity.Federation.Powershell.AddFederatedDomainCommand

Per another recommendation, I've also tried this with Convert-MsolDomainToFederated and received a similar error.


I've tried several different combinations of credentials, and have verified that the creds I'm using are correct, active and entered correctly.  I have also used winrm quickconfig to set up remoting.  


It sounds like MSOL is refusing my credentials, although I'm using valid service administrator creds.  What am I missing here?




Verified Answer
  • Hi Glenn,

    If your account has not been transitioned from BPOS it would certainly explain the problem. You admin user on BPOS will not be an admin on Office 365 until after the transition has completed. When is your account scheduled to be transitioned? If it has already been moved, has this solved the problem?

    Let me know and I will do what I can to help.

    Dave

All Replies
  • Hi Glenn,
    This is Martin with Office 365 Support. Thanks for posting question here.
    It seems authority error that you don't have permission to execute this command. So could you verify when you run Microsoft Online Services Module, are you running it use ""Run as Administrator"? Sometimes it could be a reason to get this error message.

    Best Regards
    Martin Xu
    Microsoft Office 365 Support

  • Great idea.  I tried that, but still get the same error.

  • Hi Glenn,

    Thank you for your updated information.

    I understand that the issue persists after "Run as Administrator” when launching the PowerShell. Glenn, besides this point, the key factor is that the user running the command should be the administrator of the Office365 tenant.

    In addition, the command you run in Microsoft Online PowerShell in to create a new federation domain. If you have already add and verified the domain in Office365 tenant, you can run “Convert-MsolDomainToFederated -DomainName <domain>”
     
    You can take a look at this for a detail steps:
    http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx

    Thanks,
    Monica Tong

  • Problem persists, despite addressing the issues you suggested.

  • Glenn,

    One thing I have found is that because XP x64 does not have a SP3 available you cannot use it as a client for Office 365, I am wondering if you are running into a problem because of the OS.  Is your ADFS server a member server or DC?  In my lab I actually am running ADFS 2.0 on my DC and I installed the MSOL Powershell tools on it and ran the commands you are having trouble with.  If you do this you can skip Set-MsolAdfscontext step.

  • Sean,

    Thanks for the reply.  ADFS is running on a member server.  

    I believe you are probably correct in that it's OS-related.  At this point I've just about exhausted all the time I'm interested in devoting to this and will probably just abandon ADFS.

  • So you can install the MSOL Powershell on the ADFS member server and run the commands from there, don't give up on ADFS and SSO, it is very valuable and really think the issue is with the XP 64 OS.

  • In addition, could you raise a support issue to help with this? In general, we expect this to work if the following statements are true:

    1.  managed account that you are using to connect to online via the PSH is an admin account.

    2. the context that you use to talk to ADFS should be part of the Adminstrators machine on the target ADFS server.

    3. If you are not using SQL and using WID (default) for policy store, you need to be talking to the Primary ADFS server (by default it is the first ADFS server that you set up)

  • Hi,

     

    This error generally is the result of connecting with an account that is not a member of the company admin role. 

     

    Can you please confirm that the account you are connecting with is a company admin.  If so can you please try and get the domain list for example get-msoldomain.

     

    Regards

    Ross Adams [MSFT]

  • Hi Glenn,
    Did answers from this thread help you? Let us know if you need further assistance from us.

    Best Regards
    Martin Xu

  • Martin,

    This problem remains unresolved but is a low priority item for me given some other issues in the business.

    Our Office365 account is in transition from BPOS.  Could that explain the issue?

  • Hi Glenn,

    If your account has not been transitioned from BPOS it would certainly explain the problem. You admin user on BPOS will not be an admin on Office 365 until after the transition has completed. When is your account scheduled to be transitioned? If it has already been moved, has this solved the problem?

    Let me know and I will do what I can to help.

    Dave

  • That was it.  After the transition, I re-ran the process and everything worked properly.

    Guess I was just a little to eager.