SOLVED Office 365 Connector: SSO Error: File does not exit

Apps & App Center
,
#1

After installation of Office 365 Connector and meticulously following the step by step instructions of the wizard without errors, a testuser account with UCS Office 365 activated was synced to the Azure AD.

But login of said testuser in MS Office 365 via UCS Portal results in the following error message:

AADSTS50107: Requested federation realm object ‘https://ucs-sso.intern.izt.de/simplesamlphp/saml2/idp/metadata.php’ does not exist.

while, if I browse manualy to the page mentioned in the error message it exists and shows xml content.

Because of this bug report: Office 365 Connector we deleted the UVS 365 App in the Office 365 Cloud and did all steps again, also without errors. But the problem persists.

Any hints how to solve this problem?

Gregor

Azure redirects to ucs-sso
#2

This is from /var/log/univention/management-console-module-office365.log:

19.11.19 16:51:43.608 MODULE ( PROCESS ) : Loading python module.
19.11.19 16:51:43.826 MODULE ( PROCESS ) : Imported python module.
19.11.19 16:51:43.826 MODULE ( PROCESS ) : Module instance created.
19.11.19 16:51:43.827 MODULE ( PROCESS ) : Module socket initialized.
19.11.19 16:51:43.848 MODULE ( PROCESS ) : Setting user LDAP DN u’uid=Administrator,cn=users,dc=intern,dc=izt,dc=de’
19.11.19 16:51:43.848 MODULE ( PROCESS ) : Setting auth type to None
19.11.19 16:51:43.848 MODULE ( PROCESS ) : Initializing module.
19.11.19 17:00:29.109 PARSER ( WARN ) : Attribute status just available for MIME type application/json
19.11.19 17:03:46.848 PARSER ( WARN ) : Attribute status just available for MIME type application/json
19.11.19 17:08:45.214 PARSER ( WARN ) : Attribute status just available for MIME type application/json
19.11.19 17:08:48.203 MODULE ( PROCESS ) : Retrieved list of users: {u’odata.metadata’: u’https://graph.windows.net/aa30

19.11.19 17:18:47.949 MAIN ( WARN ) : Shutting down all open connections
19.11.19 17:19:12.682 DEBUG_INIT
19.11.19 17:19:13.667 MODULE ( PROCESS ) : Loading python module.
19.11.19 17:19:13.813 MODULE ( PROCESS ) : Imported python module.
19.11.19 17:19:13.813 MODULE ( PROCESS ) : Module instance created.
19.11.19 17:19:13.813 MODULE ( PROCESS ) : Module socket initialized.
19.11.19 17:19:13.859 MODULE ( PROCESS ) : Setting user LDAP DN u’uid=Administrator,cn=users,dc=intern,dc=izt,dc=de’
19.11.19 17:19:13.859 MODULE ( PROCESS ) : Setting auth type to None
19.11.19 17:19:13.860 MODULE ( PROCESS ) : Initializing module.
19.11.19 17:19:13.860 PARSER ( WARN ) : Attribute status just available for MIME type application/json
19.11.19 17:29:14.377 MAIN ( WARN ) : Shutting down all open connections

#3

The error on the MS login page is usually an indicator that the Powershell script the wizard generates has not been executed successfully on a Windows PC. You can open the wizard again and directly go to the page with the download link and instructions on how to run the script.
After the script has been executed, the DNS domain configured in the wizard should be shown as ‘Federated’ in the Azure AD.

#4

Hello, damrose,

I have exactly the same problems, but in my case they occur after running the PowerShell command and it ended without any error messages.

Any other ideas

Thank you in advance

#5

here are the log Information from /var/log/univention/management-console-module-office365.log

21.11.19 12:09:47.802 DEBUG_INIT
21.11.19 12:09:48.226 MODULE ( PROCESS ) : Loading python module.
21.11.19 12:09:48.296 MODULE ( PROCESS ) : Imported python module.
21.11.19 12:09:48.296 MODULE ( PROCESS ) : Module instance created.
21.11.19 12:09:48.296 MODULE ( PROCESS ) : Module socket initialized.
21.11.19 12:09:48.298 MODULE ( PROCESS ) : Setting user LDAP DN u’uid=Administrator,cn=users,dc=schule-gebenstorf,dc=ch’
21.11.19 12:09:48.298 MODULE ( PROCESS ) : Setting auth type to None
21.11.19 12:09:48.298 MODULE ( PROCESS ) : Initializing module.
21.11.19 12:09:48.298 PARSER ( WARN ) : Attribute status just available for MIME type application/json
21.11.19 12:19:48.815 MAIN ( WARN ) : Shutting down all open connections

#6

Thanks. You are right: In Azure Active Directory admin center under Custom domain names our domains show up as verified, the UCS domain not as primary, but none of them as federated.
Therefore I rerun the Powershell script. It informed me:
WARNUNG: Version 1.1.183.17 des Moduls “MSOnline” ist bereits auf “C:\Program Files\WindowsPowerShell\Modules\MSOnline\1.1.183.17” installiert. Um Version 1.1.183.57 zu installieren, führen Sie Install-Module aus und fügen den -Force-Parameter hinzu. Durch diesen Befehl werden Version 1.1.183.57 und Version 1.1.183.17 parallel installiert.

I used this Parameter and there were no further Warnings or Error messages. But sadly the domains are still not federated. When loging of said testuser in MS Office 365 via UCS Portal the very same error message is shown:

AADSTS50107: Requested federation realm object ‘https://ucs-sso.intern.izt.de/simplesamlphp/saml2/idp/metadata.php’ does not exist.

Any further ideas?

#7

What is the output when running the powershell script? If it works, the UCS domain should be shown as federated - that is the task the script does. If it does not work, there should be an error message when running the script.

#8

thanks. As far as I remember there was no output at all. I’m sure that

Is there any way of debugging this problem?

#9

I would check the Federation settings via powershell. You said there was no error when running the script, so the following commands executed in a powershell to debug the azure settings. It should show the azure DNS domain as federated:

Connect-MsolService
Get-MsolDomain
Get-MsolDomainFederationSettings -DomanName <azure-dnsdomain>

If the the domain is not shown as federated, open the batch script created by the UMC Office365 Setup wizard and execute each command manually in a powershell session.

#10

The wrong domain was marked as primary.

I did so, the main command gave an error:

PS C:\Users\Administrator.IZT-DOMAIN> Set-MsolDomainAuthentication -DomainName “izt.de” -FederationBrandName “UCS” -Authentication Federated -ActiveLogOnUri “https://ucs-sso.intern.izt.de/simplesamlphp/saml2/idp/SSOService.php” -PassiveLogOnUri “https://ucs-sso.intern.izt.de/simplesamlphp/saml2/idp/SSOService.php” -SigningCertificate “<<>>” -IssuerUri “https://ucs-sso.intern.izt.de/simplesamlphp/saml2/idp/metadata.php” -LogOffUri “https://ucs-sso.intern.izt.de/simplesamlphp/saml2/idp/SingleLogoutService.php?ReturnTo=/univention/” -PreferredAuthenticationProtocol SAMLP;

Set-MsolDomainAuthentication : You cannot remove this domain as the default domain without replacing it with another
default domain. Use the the Set-MsolDomain cmdlet to set another domain as the default domain before you delete this
domain.
In Zeile:1 Zeichen:1

  • Set-MsolDomainAuthentication -DomainName “izt.de” -FederationBrandNam …

A college found this post: https://www.peppercrew.nl/index.php/2019/07/set-msoldomainauthentication-you-cannot-remove-this-domain-as-the-default-domain-without-replacing-it-with-another-default-domain/

I therefore switched the primary domain in Azure Active Directory admin center under Custom domain names: Now the domain name provided by microsoft is marked as primary.

After that the script gave no error messages any more and I was able to log into Office 365 Webinterface as a user whos account is UCS Office 365 activated.

Thanks, Eric, for your support.

Mastodon