Office 365 - AD FS Authentication Fails Due To Time Skew - Perficient Blogs
Blog
  • Topics
  • Industries
  • Partners

Explore

Topics

Industries

Partners

Office 365 – AD FS Authentication Fails Due To Time Skew

I’ve run across this issue enough times now that I figured it was worth a short post. It’s a quick reminder to always check the simple things.
On several occasions I’ve found AD FS environments where authentication via the internal AD FS servers works but authentication via the AD FS proxy does not. With this statement, it’s also important to remember that the Outlook client authentication is proxied by Exchange Online via the AD FS proxy, even when on the internal network.
When attempting to authenticate via the proxy, you might be greeted with the error below:

    There was a problem accessing the site.  Try to browse to the site again. If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

You can pull Office 365 out of the mix by trying to access the following URL from an external machine.

    https://sts.company.com/adfs/ls/IdpInitiatedSignon.aspx

If you receive the error above instead of being prompted to sign in, it’s time to start looking at event logs on the AD FS servers.
Looking at the event logs on the proxy, you might find an event ID 364:

While this error can be caused by a number of different things, one of them is time skew between the AD FS proxy and the AD FS internal server.
Given that the AD FS proxy resides in a DMZ network and is not domain joined, it’s not uncommon to find that the server does not have the same time sync configuration as an internal server might; in many cases, I’ve found that it has no time sync configured at all. On virtualized platforms, the platform’s respective client-side tools usually have time sync settings in them that come into play as well.
Of the possible resolutions for event ID 364, checking the time is surely the quickest. So give those clocks (both time & time zone) a quick check!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up

Categories