No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Something is wrong in my Office 365 SSO

This question has suggested answer(s) This question has suggested answer(s)

Hi everyone,

 

I have deployed Office 365 Single Sign-on with Active Directory Federation Services 2.0 in conjunction with directory synchronization. The helpful reference I have used here: http://www.microsoft.com/en-us/download/details.aspx?id=28971. In this document, Microsoft states : Work computer on a corporate network: When users are at work and signed in to the corporate network, single sign-on enables them to access the services in Office 365 without signing in again. However, after doing some tasks, I still can achieve objective as the statement.

My environment has two servers: Federation server and Synchronization server. SSL self-signed certificate is used in Federation server. These severs have already joined to domain.

  • Domain name: thesoldier.net
  • Federation server: fed.thesoldier.net
  • Office 365 Team site: soldier.sharepoint.com
  • Domain thesoldier.net is verified in Office 365

I have found out some tips on the Internet and done the following:

  • Enable Windows Authentication in IIS in Federation server
  • Add the site http/https://soldier.sharepoint.com to Local intranet zone in Internet Explorer.
  • Add the site  https://fed.thesoldier.net to Trusted sites zone in Internet Explorer.
  • Export SSL self-signed certificate
  • Open Internet Explorer option, click Content tab > Certificates. In the Certificates windows, click Intermediate Certification Authorities and then import the SSL self-signed certificate. Repeat this step for Trusted Root Certification Authorities

However, at the first time I open my Office 365 team site, I get directed to https://login.microsoftonline.com/. The username thuan@thesoldier.net is available. I just need to "Sign in at fed.thesoldier.net", and then I get redirected to the Certification Error: Navigation Blocked page, here I have to click Continue to this website (not recommended) and then the Windows credential prompts. Here I type my credential and get directed to Office 365.

The key things I want:

  1. Is there any possibility to pass SSL Self-Signed Certificate in Internet Explorer ? This basically means end-users don't get this error page as well as to click Continue to this website (not recommended).
  2. As Microsoft says, when my computer has been logged to domain internally in corporate network, I don't have to type any credential even the first time. What I need to do is just open Office 365 team site in Internet Explorer and my credential will be automatically passed. 

Your recommendations are greatly appreciated.

 

Regards,

-T.s

All Replies
  • Hi -T.s,

    I understand you have two problems about deploying SSO.

    For your first question, you can set up a corporate CA and use Group Policy to make every client trust the certificate.

    For you second question, you need to enter the user name. Then Office 365 will redirect to on-premise to authenticate the user without password.

    Thanks,
    Ray Yang

  • Hi Ray,

    I know that. So that's why I have such a question. What 's wrong with my configuration described above. What do I have to make sure to achieve the goal: "I don't have to type password any time when I already logged to my computer joined to domain."

    Regards,

    -T.s

  • Hi -T.s,

    You add the AD FS service url to the client browser’s Local intranet site list. Then the user only need to type the user name and login page will redirect to the AD FS site to authenticate.

    Thanks,

    Ray Yang

  • Hi Ray,

    Is there any problem if I add AD FS to Trusted site zone instead of Local intranet zone? I even did add SSL self-signed certificate to root trust authorities group.

    Regards,

    -T.s

  • Hi -T.s,

    The default setting of IE is ‘Automatic logon only in Intranet zone’, so the AD FS site need to be added into the intranet zone list.

    Thanks,

    Ray Yang

  • Hi -T.s,

    How are things going?

    If you have any other questions or concerns, please do not hesitate to contact us. It is always our pleasure to be of assistance.

    Thanks,

    Ray Yang