Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4467: Users are unable to login to Office 365 via Centrify SSO - Error 8004786C

Centrify Identity Service, App Edition ,   Centrify Identity Service, App Plus ,  

3 March,17 at 04:21 PM

Applies to: Centrify Identity Service



Problem:

Users attempting to sign into Office 365 results in the following error displayed in the Microsoft web portal:
 
"Sorry, but we’re having trouble signing you in. 

Please try again in a few minutes. If this doesn’t work, you might want to contact your admin and report the following error:
8004786C"

User-added image


Cause:

This error (8004786C) is typically caused by a user ID mismatch as it relates to the Active Directory account UserPrincipalName (UPN) suffix and the Office 365 federated domain name. Microsoft requires the on-premises Active Directory account UPN suffix to match the federated Office 365 domain suffix in order for Directory Synchronization and SSO functionality to work. 

Note: The error code may also show after migrating from Azure Active Directory Connect (formerly DirSync) and/or ADFS to Centrify when the user has not been provisioned by Centrify yet.


The example below shows a configuration where the UPN suffix for an AD user account does not match the Office 365 domain:
  • AD User Account UPN: joe.user@mobsupport1.com
  • Office 365 federated domain: acme.com 


Solution:

Update the UPN suffix of the on-premises AD user account to match the federated domain in Office 365. Administrators may need to add an alternate UPN entry to associate with an Active Directory user. Adding an alternate UPN will allow users to login to Active Directory using any available domain suffix.

Be sure to review the complete Office 365 deployment checklist for Active Directory in Centrify Online Help for more information.

After setting the user account UPN suffix to match the federated Office 365 domain, user login to the Office 365 portal should complete successfully. 


How to add an alternate UPN suffix in Active Directory:
  1. On the on-premises Active Directory domain controller, click Start, point to All Programs, click Administrative Tools, and then click Active Directory Domains and Trusts.
  2. Right-click the root node of Active Directory Domains and Trusts, select Properties, and then make sure that the domain name that's used for SSO is present.
          User-added image


How to update the Active Directory user account to use the alternate UPN suffix:
  1. On the on-premises Active Directory domain controller, click Start, point to All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
  2. Locate the problem user account, right-click the account, and then click Properties.
  3. On the Account tab, use the drop-down list in the upper-left corner to change the UPN suffix to the custom domain, and then click OK.

Example of correct AD user account configuration:
  • AD User Account UPN: joe.user@acme.com
  • Office 365 federated domain: acme.com
          User-added image



For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.