ADFS - getting frequently problem accessing the site

Hi Johnny,

This kind of error may be caused by several reasons. In order to narrow it down, can you please help us confirm the following information?
1.    Does the issue occur to all your federated users, no matter they’re trying to access from external computers or internal ones?
2.    Does the issue occur to IE only? How about other browsers?
3.    Does the issue occur when trying to access OWA only? Please let an administrator (who is on a federated domain) try to access the Office 365 admin portal to see if the same error occurs.
4.    When did you complete the ADFS configuration for your Office 365 organization? Did the issue occur back then?
5.    As you mentioned “frequently”, does it mean the access can work sometimes? In other words, the issue cannot be reproduced every time?

Moreover, in order to check whether the SSO service is healthy, please use the Remote Connectivity Analyzer -> Office 365 -> Office 365 General Tests -> Office 365 Single Sign-On Test to test it. At the first few lines of the test result, you’ll see the entire test is successful or failed. And if it’s failed, please provide us with the entire test result via a PM. See the PM I sent you at https://community.office365.com/user/conversations

Looking forward to your feedback.

Regards,
Allen

Hi Johnny,

Got any updates about what I mentioned above?

Thanks,
Allen

1.  Does the issue occur to all your federated users, no matter they’re trying to access from external computers or internal ones?

It happens for all users and both internal and external computers also.

2.    Does the issue occur to IE only? How about other browsers?

3.    Does the issue occur when trying to access OWA only? Please let an administrator (who is on a federated domain) try to access the Office 365 admin portal to see if the same error occurs.

4.    When did you complete the ADFS configuration for your Office 365 organization? Did the issue occur back then?

5.    As you mentioned “frequently”, does it mean the access can work sometimes? In other words, the issue cannot be reproduced every time?

1.  Does the issue occur to all your federated users, no matter they’re trying to access from external computers or internal ones?

It happens for all users and both internal and external computers also.

2.    Does the issue occur to IE only? How about other browsers?

Other browsers too.

3.    Does the issue occur when trying to access OWA only? Please let an administrator (who is on a federated domain) try to access the Office 365 admin portal to see if the same error occurs.

Yes OWA only.

4.    When did you complete the ADFS configuration for your Office 365 organization? Did the issue occur back then?

It was completed 1 or 2 years before I join this organisation.

5.    As you mentioned “frequently”, does it mean the access can work sometimes? In other words, the issue cannot be reproduced every time?

Frequently means the error we receive is frequent and every time we need to refresh the browser or reopen the browser then we will be able to login successfully. All the while we advise user to do like this.

Hi Johnny,

The RCA test is fine. It is very specific as the issue only occurs to OWA (It seems it works when accessing Office 365 portal). Given the situation, I would like to check the detail error, and try to find root cause.

1.  Open the Event Viewer. Navigate to 'Applications and Services Logs' -> 'AD FS ' -> Admin. 
2.  In the 'View' menu, using 'Add/Remove Columns...', add the 'Correlation Id' column. 
3.  Look up the reference number '913fea31-0b87-4987-8c33-2d975595e707' in the 'Correlation Id' column.
If you can find the detailed event logs, please post here for checking.

Regards,
Johnny Zhang

hi johnny,

it might be sso\token lifetime related, which times out your session and requires reauthentication.

did you check the sso\token lifetime?

first navigate to "edit federation service properties" using adfs mmc, and check your webssolifetime (represented in minutes) .

second, check the relying party for token lifetime, using adfs powershell (open powershell console and run "add-pssnapin microsoft.adfs.powershell" )

to view the current token lifetime, run the command:

get-adfsrelyingpartytrust -name "relying_party"

to set it, use:

set-adfsrelyingpartytrust -targetname "relying_party" -tokenlifetime (time in minutes)

*max lifetime is 480 minutes (8 hours) . 

hope this helps,

maor bracha

We have 3 ADFS server and 3 ADFS Proxy server. Which server do I need to verify the above?

If I run the command Get-ADFSRelyingPartyTrust -Name "relying_party" in ADFS server , nothing is shown. no error or no information as in the screen shot u shown.

You would be making the changes on your primary ADFS server (the first one installed).

As for the shell command, did you make sure to replace "relying_party" with the actual name of your relying party trust?

Try running Get-ADFSRelyingPartyTrust , do you get any result? If so, locate the one for your Office 365 services and copy it's identity\name and run the command as described above. If you get no results by running Get-ADFSRelyingPartyTrust please verify that you imported the ADFS module.

Hi Johnny,

I have checked what you provided in the private message, and your single sign-on test went successfully. I'd like to confirm whether the issue still exists or not. Please let us know if it does.

Thanks,
Allen