AAAAAAH….this is not a typical reaction I have when setting up things, but this one was driving me nuts. Let me explain…
Story so far…
I was asked to help a company with the implementation of Single Sign-on (SSO) between their on-premises environment and Office 365. During the installation and configuration phase of the ADFS 2.0 servers we ran into an error that drove me nuts. This process should be fairly easy. To help you through this process of deploying SSO, there are tons of guides to be found on the interwebs to set up SSO for your Office 365 services. Just check it out. I like this one in particular.In short: to create a federated connection with Office 365 in the cloud you have to do a couple of things:
- Get an Enterprise CA Certificate
- Configure Office 365
- Install and configure ADFS 2.0
- Install and configure DirSync
After the setup of ADFS 2.0 you will come across the Microsoft Online Services and connecting to them and then converting your registered Office 365 domain to a federated domain;
Keep in mind:I’m doing this from the ADFS server itself, so no need for the Set-MsolADFSContext –Computer cmdlet.Note:I’m using another DNS domain name in the commands below to protect the innocent.
First Connecting:
Connect-MSOLService
Then the update cmdlet:
Update-MSOLFederatedDomain -DomainName contosogirls.com -SupportMultipleDomain
The Problem
When everything goes well, no output will be generated. But in this case it gave me the following output:
Convert-MsolDomainToFederated -DomainName contosogirls.com -SupportMultipleDomain
Convert-MsolDomainToFederated : Service not available
At line:1 char:30+ Convert-MsolDomainToFederated <<<< -DomainName conotosogirls.com -supportMultipleDomain
+ CategoryInfo : InvalidOperation: (:) [Convert-MsolDomainToFederated], FederationException
+ FullyQualifiedErrorId : InternalError,Microsoft.Online.Identity.Federation.Powershell.ConvertDomainToFederated
Since I was not the one who configured the Office 365 domain and there seemed to be a problem with the Office 365 authentication service, I assumed there was a problem with the services. I tried again after the weekend and was surprised to get the same result. So I guess it’s true what they say about assuming things.
Note:You can check the status of Office 365 services when you log into the Office 365 admin center
After checking everything, and I mean going over the entire installation up until the error, I still could not find any reason for this not to work. So I called Microsoft. The technician went over the process and after consulting with his colleagues a couple of times, came up with the suggestion of checking the account settings of the account we used to login into Office 365 with the Connect-MSOLService cmdlet. Explicitly we needed to check the password expiration policy.
Solution
After the suggestion to set the value for Days before passwords expire: to 90 instead of 730 running the Update-MSOLFederatedDomain cmdlet gave no trouble whatsoever. Setting up DirSync went like a breeze and Single Sign On is actually quite sexy…
Keep in mind:I was not the one who configured Office 365 for this scenario or thought these settings were a good idea
Concluding
It’s strange the password expiration policy affects converting a domain and the PowerShell output is cryptic. I hope this helps in case you run into the same situation I did. This is how I did it…