Internet browser can't display the AD FS 2.0 webpage when a federated user tries to sign in to Office 365 web resources

Article ID: 2419389 - View products that this article applies to.

Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
(http://office.microsoft.com/redir/HA103982331.aspx)
Expand all | Collapse all

PROBLEM

When a federated user tries to sign in to Microsoft Office 365 web resources, the Internet browser can't display the Active Directory Federation Services (AD FS) 2.0 sign-in webpage. Additionally, the user may receive an error message. For example, if the user is using Internet Explorer, the user may receive the following error message:
Internet Explorer cannot display the webpage.
When this error occurs, the address that's displayed in the web browser resembles the following address:
https://sts.domain.tld/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=uri:WindowsLiveID&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D11%26ct%3D1283354771%26rver%3D6.0.5286.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.microsoftonline.com%252Flanding.aspx%253Ftarget%253D%25252fDefault.aspx%26lc%3D1033%26id%3D271346%26bk%3D1283354772
Back to the top | Give Feedback

CAUSE

This issue may occur if the user can't contact the on-premises AD FS 2.0 federation server or the Internet-facing AD FS Federation server proxy. This can occur when the AD FS 2.0 Federation Service stops running or when IP connectivity is marginalized.
Back to the top | Give Feedback

SOLUTION

Before you begin to resolve this issue, determine the AD FS 2.0 endpoint address for the on-premises federation server, and then determine which server is having problems.
Determine the AD FS 2.0 endpoint address for the on-premises federation server
To do this, follow these steps on a domain-connected computer that has Windows Azure Active Directory Module for Windows PowerShell installed:
  1. Run Windows Azure Active Directory Module for Windows PowerShell as an elevated admin. To do this, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. Type the following commands. Press Enter after you type each command:
    1. $cred = get-credential

      Note When you are prompted, enter your Office 365 global admin credentials. 
    2. Connect-MsolService –credential $credS
    3. Set-MsolADFSContext -Computer <AD FS Server>

      Note The <AD FS Server> placeholder represents the computer name of your primary AD FS 2.0 server.
    4. Get-MSOLFederationProperty –DomainName <Federated Domain> | FL

      Note The <Federated Domain> placeholder represents the domain name that's federated with Office 365.
In the output, examine the ActiveClientSignInUrl property. The domain part of the URL is the endpoint that can be used in the resolution that's described later in this article.
Determine the server that's having problems
Scope the issue. To do this, determine the server that's having problems. If only Internet clients are having problems, troubleshoot the AD FS 2.0 Federation server proxy first. If corporate network clients are also having problems, troubleshoot the AD FS 2.0 federation server first.

After you determine which server is having problems, follow these steps on the appropriate AD FS 2.0 server:

Step 1: Make sure that the on-premises AD FS 2.0 federation server is running

  1. On the AD FS 2.0 federation server, open Control Panel, click Administrative Tools, and then click Services.
  2. Look for the AD FS 2.0 Windows Service service.
  3. Make sure that the status of the AD FS 2.0 Windows Service service is Started. If the service is stopped, right-click the service, and then click Start to start the service.

Step 2: Make sure that the web server is running on the appropriate AD FS 2.0 server

  1. On the AD FS 2.0 federation server or on the AD FS 2.0 federation server proxy, open Server Manager, expand Roles, expand Web Server (IIS), and then select Internet Information Services.
  2. Expand your computer name, and then expand Sites.
  3. Make sure that Default Web Site is set to Started. If it isn't, right-click Default Web Site, point to All Tasks, and then click Start.
  4. Expand Default Web Site, and then make sure that the adfs and /adfs/ls virtual directories exist.

Step 3: Make sure that DNS has a host record for the AD FS 2.0 endpoint that's appropriate to the client that's having problems

For internal clients, internal DNS should resolve the AD FS 2.0 endpoint name to an internal IP address (for example, sts.contoso.com A 192.168.1.104.). For Internet clients, the endpoint name should resolve to a public IP address. This can be tested on the client by using the following procedure. If the on-premises network contains a proxy server, try to add the AD FS 2.0 endpoint by using Internet Options in Internet Explorer.
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following command, where the placeholder <STS.contoso.com> represents the AD FS endpoint name:
    NSlookup <STS.contoso.com>
  3. If the command results in an incorrect IP address, resolve the issue by updating the A record on either the internal or external DNS server. To make sure that DNS requests for AD FS 2.0 resources from on-premises computers resolve to the AD FS 2.0 Federation service instead of the AD FS 2.0 Proxy server, see the following Microsoft Knowledge Base article to check and update the split-brain DNS settings.
    2715326
    (http://support.microsoft.com/kb/2715326/ )
    Split-brain DNS misconfiguration prevents seamless SSO sign-in experience
    Note Updated Internet-facing DNS settings may take as long as 48 hours to propagate to all Internet DNS servers.

Step 4: Try to add the AD FS server name as an exception in the Internet proxy settings in Internet Explorer on the client computer

If the on-premises network contains a proxy, and if only internal clients are having problems with AD FS 2.0 access, try to add the AD FS 2.0 server name as an exception in the Internet proxy settings in Internet Explorer. To do this, follow these steps on the client computer:
  1. Open Internet Explorer, and then click Internet Options on the Tools menu.
  2. Click the Connections tab, and then click LAN Settings.
  3. Under Automatic configuration, click to clear the check boxes, and then click to select the Use a proxy server for your LAN check box under Proxy server.
  4. Under Proxy server, add the proxy server address and the port that the proxy server uses, and then click Advanced.
  5. Under Exceptions, add your AD FS endpoint (for example, sts.contoso.com).
Back to the top | Give Feedback

MORE INFORMATION

The Windows PowerShell commands in this article require the Windows Azure Active Directory Module for Windows PowerShell. or more information about Windows Azure Active Directory Module for Windows PowerShell, go to the following Microsoft website:
Manage Windows Azure Active Directory by using Windows PowerShell
(http://aka.ms/aadposh)

Video: IE Cannot Display the Microsoft Office 365 Portal When a Federated User Tries to Sign In

Collapse this imageExpand this image
uuid=685d3309-76e8-4a83-92d2-291a195f1503 VideoUrl=http://aka.ms/e1dt0o
(http://aka.ms/e1dt0o)
Collapse this imageExpand this image
Back to the top | Give Feedback


Still need help? Go to the Office 365 Community
(http://community.office365.com/)
website.
Back to the top | Give Feedback

Properties

Article ID: 2419389 - Last Review: May 15, 2013 - Revision: 37.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Windows Azure Active Directory
Keywords: 
o365 o365e o365a o365m o365022013 after upgrade o365062011 pre-upgrade KB2419389
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top