“Your organization could not sign you in to this service” error and “80041317” or “80043431” error code when a federated user tries to sign in to Office 365.
Resolution: Missing / at the end of the Federation Service Identifier.
I recently had the Token-decryption and Token-signing certificate expire on our Active Directory Federation Server (ADFS) and was getting an error that was stopping on the ADFS URL while logging into Office 365 services
After renewing the certificate with these instructions – http://support.microsoft.com/kb/2383983/en-us
To renew the token-signing certificate on the primary AD FS 2.0 server by using a self-signed certificate, follow these steps:
- In the same AD FS 2.0 management console, click Service, click Certificates, and then, under Certifications in the Actions pane, click Add Token-Signing Certificate.
- If a “Certificates cannot be modified while the AD FS automatic certificate rollover feature is enabled” warning appears, go to step 3. Otherwise, check the certificate Effective and Expiration dates. If the certificate is successfully renewed, you don’t have to perform steps 3 and 4.
- If the certificate isn’t renewed, click Start, point to All Programs, click Accessories, click the Windows PowerShell folder, right-click Windows PowerShell, and then click Run as administrator.
- At the Windows PowerShell command prompt, enter the following commands. Press Enter after you enter each command:
Update-ADFSCertificate -CertificateType: Token-Signing
Then update the configuration of the Office 365 federated domain: – http://support.microsoft.com/kb/2647048/en-us
To update the configuration of the Office 365 federated domain on a domain-joined computer that has Windows Azure Active Directory Module for Windows PowerShell installed, follow these steps:
- Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
- At the command prompt, type the following commands, and press Enter after each command:
$cred = get-credentialNote When you’re prompted, enter your Office 365 administrator credentials.
Set-MSOLADFSContext –Computer:<AD FS 2.0 ServerName>Note In this command, the placeholder <AD FS 2.0 Server Name> represents the Windows host name of the primary AD FS 2.0 server.
Update-MSOLFederatedDomain –DomainName:<Federated Domain Name>
Update-MSOLFederatedDomain –DomainName:<Federated Domain Name> –supportmultipledomains
Using the –supportmultipledomains switch is required when multiple top-level domains are federated by using the same AD FS 2.0 federation service.
In these commands, the placeholder <Federated Domain Name> represents the name of the domain that is already federated with Office 365 for SSO.
I was still getting the error above.
After some frantic google searching I found this article – http://community.office365.com/en-us/forums/613/t/63027.aspx
Near the bottom a user describes adding a slash (/) to the end of the Federation Service identifier.
Left click ADFS 2.0, left click “Edit Federation Service Properties…”, add a / to the end of the Federation Service identifier.
Then repeat the “Update-MSOLFederatedDomain –DomainName:<Federated Domain Name>” from powershell.