Office 365 Integration: Cant convert the domain to Federation: Set-MsolDomainAuthentication powershell cmdlt fails

rahul · July 23, 2018, 1:10pm

# Configure Office 365 SSO
# Prompt for the administrator’s credentials
$cred=Get-Credential
Connect-MsolService -Credential $cred
$domain = “kmautheval.cf”
$issuer = “<a href=“https://ExampleIdentityProvider””>https://ExampleIdentityProvider"
$ssoUrl = “<a href=“https://localhost:44313/SAML/SingleSignOnService””>https://localhost:44313/SAML/SingleSignOnService"
$logoffUrl = “<a href=“https://localhost:44313/SAML/SingleLogoutService””>https://localhost:44313/SAML/SingleLogoutService"</a><br/>$cert="MIIDATCCAemgAwIBAgIQdPDr/iI1jbhDMTj5VYya+TANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwt3d3cuaWRwLmNvbTAeFw0xMzExMjIwODIwNTJaFw00OTEyMzExNDAwMDBaMBYxFDASBgNVBAMTC3d3dy5pZHAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi0XJRLDrcbSyqUd8XG4BgxObQMYLAkENlmJOsAEpl1xMabUiq1X4v0Fc8ZaCpUE3fFGENMEWgBjnQUUE0WtVUh5JPMsukolf9qljbJkCkvHXH3O4Uen7vA2oNQWt4bK96SpXADpZKFvpk4D7btKOgU/NamjiqwHI4fI8kFJKwKBJchRPUQdC4ljRRmGIrSnpY+t25/d3KGXwbe9Z2MGGy2hyA0tgOWuchIK+1vAKKBUh9nDEXfr80+xW680w5TqHyDcqbWvQsXXhH0yZLfINKNS6/IojHPsBy7tf36Ck9H5Pw+1PPu6NzBFSz5ZkC8KzrS6vuZXc/ImYrnheMQsqqQIDAQABo0swSTBHBgNVHQEEQDA+gBD4dY4MCPEmG4sxZrcni8vtoRgwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb22CEHTw6/4iNY24QzE4+VWMmvkwDQYJKoZIhvcNAQELBQADggEBABhak2aR84MCdyXO4AKOQvZybsCMdhRq2i1i0WhD4/xe7Ry5haC6TeXIp8Q4cC3MzsrDal74xHI714BW0loafpHAsXfd9EvkKTVaJ+1Zpe16+SsTL4upS1cGydigqwUzsdpGck4wI1moJ9477O+46If2gF27u9Cdk7Onxe/5dwLIxWmkVRdbQIH5GsKUeAjOdRQmy+X1MX6KyRoaCwWGYwxi5Sa+r+3AtDvD4BX0EJGKFZeeM3J/yMpYh/75aN0cFQfDEdJ7C5NE0vonidE0QtIFvsoWtZUtur2fiW7yBxse38TPQsi2r6A6c/TZsZ5bq31yh3gr3kSN62H8iVKLQLA="
Set-MsolDomainAuthentication -FederationBrandName $domain -DomainName $domain -Authentication federated -PreferredAuthenticationProtocol SAMLP -IssuerUri $issuer -SigningCertificate $cert -PassiveLogOnUri $ssoUrl -LogOffUri $logoffUrl –Verbose

When I put those in .ps1 file(office365.ps1), and run the script I see the last command fails

PS C:\Windows\system32> .\office365.ps1

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At C:\Windows\system32\office365.ps1:24 char:1
+ Set-MsolDomainAuthentication -FederationBrandName $domain -DomainName …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: ( [Set-MsolDomainAuthentication], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
inistration.Automation.SetDomainAuthentication

PS C:\Windows\system32>

I have the domain “kmautheval.cf” at Office365 as being ‘Verified’ in ‘Managed’ mode. All I wanted to do is to convert it to Federated mode so I can add users and test SSO.

Can you please advise, whicy this command fails saying Try Again Later?

ComponentSpace · July 23, 2018, 7:22pm

Unfortunately the “Unable to complete this action. Try again later” error can occur for any number of reasons.
Please double check that the certificate string is correct.
What do you see when you run the following?

$cred=Get-Credential
Connect-MsolService -Credential $cred

$domain = “kmautheval.cf”
Get-MsolDomainFederationSettings -DomainName $domain

rahul · July 24, 2018, 6:05am

Thank you.
I checked the certificate string, appears correct to me but I have no visibility( debugging-wise), as to how Office365 end is treating the supplied SSO params through this command.

I had run the commands you advised, and “Get-MsolDomainFederationSettings” displays nothing.:

PS C:\Windows\system32> $cred=Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Windows\system32> Connect-MsolService -Credential $cred
PS C:\Windows\system32>
PS C:\Windows\system32> $domain = “kmautheval.cf”
PS C:\Windows\system32> Get-MsolDomainFederationSettings -DomainName $domain
PS C:\Windows\system32> echo $domain
kmautheval.cf
PS C:\Windows\system32> echo $cert
MIIDATCCAemgAwIBAgIQdPDr/iI1jbhDMTj5VYya+TANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwt3d3cuaWRwLmNvbTAeFw0xMzExMjIwODIwNTJaFw00
OTEyMzExNDAwMDBaMBYxFDASBgNVBAMTC3d3dy5pZHAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi0XJRLDrcbSyqUd8XG4BgxObQMYL
AkENlmJOsAEpl1xMabUiq1X4v0Fc8ZaCpUE3fFGENMEWgBjnQUUE0WtVUh5JPMsukolf9qljbJkCkvHXH3O4Uen7vA2oNQWt4bK96SpXADpZKFvpk4D7btKO
gU/NamjiqwHI4fI8kFJKwKBJchRPUQdC4ljRRmGIrSnpY+t25/d3KGXwbe9Z2MGGy2hyA0tgOWuchIK+1vAKKBUh9nDEXfr80+xW680w5TqHyDcqbWvQsXXh
H0yZLfINKNS6/IojHPsBy7tf36Ck9H5Pw+1PPu6NzBFSz5ZkC8KzrS6vuZXc/ImYrnheMQsqqQIDAQABo0swSTBHBgNVHQEEQDA+gBD4dY4MCPEmG4sxZrcn
i8vtoRgwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb22CEHTw6/4iNY24QzE4+VWMmvkwDQYJKoZIhvcNAQELBQADggEBABhak2aR84MCdyXO4AKOQvZybsCMdhRq
2i1i0WhD4/xe7Ry5haC6TeXIp8Q4cC3MzsrDal74xHI714BW0loafpHAsXfd9EvkKTVaJ+1Zpe16+SsTL4upS1cGydigqwUzsdpGck4wI1moJ9477O+46If2
gF27u9Cdk7Onxe/5dwLIxWmkVRdbQIH5GsKUeAjOdRQmy+X1MX6KyRoaCwWGYwxi5Sa+r+3AtDvD4BX0EJGKFZeeM3J/yMpYh/75aN0cFQfDEdJ7C5NE0von
idE0QtIFvsoWtZUtur2fiW7yBxse38TPQsi2r6A6c/TZsZ5bq31yh3gr3kSN62H8iVKLQLA=
PS C:\Windows\system32>
PS C:\Windows\system32> echo $ssoUrl
https://localhost:44313/SAML/SingleSignOnService
PS C:\Windows\system32> Get-MsolDomain

Name Status Authentication
---- ------ --------------
kmautheval.cf Verified Managed
kmauth.onmicrosoft.com Verified Managed
kmautheval.com Unverified Federated

PS C:\Windows\system32>

Anyway to find more specific reason ?

I appreciate your time and help on this

ComponentSpace · July 24, 2018, 4:41pm

Unfortunately the Office 365 error messages are cryptic at best. I’m not aware of a way to get more specific information.
I know that Office 365 restricts the issuer to a single domain and you are using the same issuer name of “<a href=“https://exampleidentityprovider/” “=”” title=“https://ExampleIdentityProvider” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; font-family: Arial; vertical-align: baseline; text-decoration: underline !important; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);”>https://ExampleIdentityProvider" that we use.
However, if the issuer is already defined for a domain, an “Unable to convert the domain. The settings you selected are already in use.” error should occur.
I suggest trying different values for the Set-MsolDomainAuthentication parameters.
If this is a test domain and you’re prepared to share the login credentials, I could take a look.
If so, please emails these to support@componentspace.com mentioning your forum post.