Authenticated CloudAccess users getting "AADSTS50107" error accessing Office365 after logging into CloudAccess despite no changes occuring

  • 7016910
  • 16-Oct-2015
  • 30-Aug-2017

Environment

NetIQ Cloud Access 2.2
Office 365 Connector Installed

Situation

CloudAccess 2.2 setup with Office365 and working fine - users can login to Office365 and single sign on to their Office365 domain with access to the authorized applications. One morning, user could no longer SSO to Office365 anymore, despite being able to login to CloudAccess.  No configuration changes on the CloudAccess side had been made, and all provisioning was still working i.e. new users added to the CloudAccess user store appeared in Office365.

The error reported by users when accessing Office365 appmarks was
Sorry, but we’re having trouble signing you in.

We received a bad request.

Additional technical information:

Correlation ID: 25d28609-a823-441d-90e9-455727026e56
Timestamp: 2015-10-15 02:18:36Z
AADSTS50107: Requested federation realm object 'https://<$Your_CloudAccess_uri>' does not exist.


All the information in get-msoldomainfederationsettings was accurate.

Resolution

Using Office365 powershell utility, change the issuer uri ($uri) to metadata1 and back to metadata using the set-msoldomainfederationsettings, and allow a minute to synchronise.

Appears to be an issue on Microsoft side that others have encountered - https://social.msdn.microsoft.com/Forums/fr-FR/43315024-2016-42b5-9895-471e498a7072/aadsts50107-error-what-does-it-mean?forum=WindowsAzureAD

More detailed example:

** Note,

1) Go to the windows "helper" box.

2) There should be a shortcut for: "Windows Azure active directory module for windows powershell". Open it up

3) From the 'PS' prompt, type:
"connect-msolservice".

4) Enter your O365 credentials in the pop up window.

5) Once authenticated (will just come back to the prompt) you can see the current settings with the command:
"Get-MsolDomainFederationSettings -domainname <mydomain>".   (replace <mydomain> with your proper domain registered with Office365)
This will show the current settings.

6) To (temporarily) change the settings, issue the command,
"Set-MsolDomainFederationSettings -domainname <mydomain> -IssuerUri https://mycloud.system/osp/a/t1/auth/wsfed/metadata1" 
(Basically, just change the value that's there to 'metadata1' at the end.)
** Again remember to substitute mydomain and mycloud.system with the FQDN of your CloudAccess Appliance

7) you can verify this took with 'Get-MsolDomainFederationSettings" command again.

8) Depending on how busy the O365 systems are, you may have to wait a few minutes for this setting to 'stick'.
Generally like 5-10 minutes to be certain.

9) Change the IssuerUri back to the original value,
"Set-MsolDomainFederationSettings -domainname <mydomain> -IssuerUri https://mycloud.system/osp/a/t1/auth/wsfed/metadata"

10) You might have to wait a few minutes again for the O365 saas service to synch the setting back to the original setting, but the users should be able to log in.