locked
Connection error to nexus.microsoftonline-p.com RRS feed

  • Question

  • We've Office 365 services (EOP and OneDrive). All seems to work fine, but we have this warning:

    The Federation Service encountered an error while retrieving the federation metadata document from 'https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml'. The monitoring for the following trusts failed:

    Claims providers:  

    Relying parties:

    Microsoft Office 365 Identity Platform

    What is the problem ?? what is the consecuencies of this warning ?

    Tuesday, May 30, 2017 9:40 AM

Answers

  • Well, yes. It might prevent the trust from working properly. In another hand, you are currently not monitoring it. So unchecking the checkbox doesn't change anything for you, just remove the error message.

    And even if you have it checked, you need to second checkbox to also be checked if you want the changes from the metadata of the RP to be applied on your trust configuration automatically.

    Also, I am not aware of a change made on the metadata of Azure AD which has broken the trust with ADFS. However, it is possible...

    You could use Azure AD Connect Health to monitor your on-prem ADFS environment. It would help you to detect those changes. Although it would require that the ADFS node can talk to OMS online... So that it has a direct or indirect (but then you need to configure it) internet connectivity: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adfs


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, June 1, 2017 1:19 PM

All replies

  • This is because you have the monitoring enabled on the relying party trust properties:

    This is a feature which enable you to detect that they were changes on the other side of the trust. Obviously, it requires an Internet connectivity to work (either directly, or using an HTTP proxy). If you cannot or don't want to use the metadata monitoring, you can uncheck it.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 1, 2017 2:06 AM
  • If we uncheck it....is there any impact ?? What happens if there changes on the other side of the trust ??
    Thursday, June 1, 2017 10:50 AM
  • Well, yes. It might prevent the trust from working properly. In another hand, you are currently not monitoring it. So unchecking the checkbox doesn't change anything for you, just remove the error message.

    And even if you have it checked, you need to second checkbox to also be checked if you want the changes from the metadata of the RP to be applied on your trust configuration automatically.

    Also, I am not aware of a change made on the metadata of Azure AD which has broken the trust with ADFS. However, it is possible...

    You could use Azure AD Connect Health to monitor your on-prem ADFS environment. It would help you to detect those changes. Although it would require that the ADFS node can talk to OMS online... So that it has a direct or indirect (but then you need to configure it) internet connectivity: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adfs


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, June 1, 2017 1:19 PM