Usually, this issue occurs on a client computer or on a group of client devices. This issue may occur for all users and client computers if single sign-on (SSO) isn't fully functional. SSO might not be fully functional if Office 365 client settings weren't correctly set up. The following Office 365 client device situations may cause this issue:
Network connectivity may be limited.
The client device is receiving incorrect name resolution for the AD FS Federation service from the internal split-brain DNS implementation.
If an Internet proxy server is configured on the computer, the AD FS Federation service name may not be added to the proxy bypass list.
The AD FS Federation service name may not be added to the Local Intranet security zone in Internet Options settings.
The client computer isn't authenticated to Active Directory Domain Services.
The third-party web browser doesn't support Extended Protection for Authentication to the AD FS Federation service.
The federation metadata endpoint may be hardcoded in the registry because of an earlier Office 365 Beta installation of the SSO Management Tool.
The required AD FS service endpoint that's required for a specific client application is disabled.
Before you continue, make sure that the following conditions are true:
Access problems aren't limited to rich client applications on the client computer. If only rich client authentication (as opposed to browser-based authentication) isn't working, it more likely indicates a rich client authentication issue. For example, it may be an issue that's related to the prerequisites or the configuration of the rich-client application. For more information, see the following Microsoft Knowledge Base article:
How to troubleshoot computer issues that limit Office 365 rich client authentication
SSO authentication doesn't fail for all SSO-enabled user accounts. If all SSO-enabled users experience the same symptoms, it more likely indicates a federation issue. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
SSO authentication for the user account succeeds on other client computers. If the user account can't log on to any Office 365 client, see the resolutions later in this article that involve the client computer. Also, explore the possibility that there's something wrong with the user account and not with the client computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
At a command prompt, type nslookup www.msn.com to determine whether DNS is resolving Internet server names.
Make sure that Internet Options proxy settings reflect the appropriate proxy server if a proxy server is used in the local network.
If a Forefront Threat Management Gateway (TMG) firewall is installed on the boundary of the network, and the firewall requires client authentication, you may have to install a Forefront TMG Client program on the client device for Internet access. Contact your Office 365 admin for help with this.
Resolution 2: Can't connect to AD FS
To resolve this issue, follow these steps:
Eliminate IP connectivity problems by using Resolution 1.
At the command prompt, type nslookup <AD FS 2.0 FQDN>, and then press Enter to determine whether DNS is resolving the AD FS service name correctly.
Note In this command, <AD FS FQDN> represents the fully qualified domain name (FQDN) of the AD FS service name. It doesn't represent the Windows host name of the AD FS server.
If the client is attached to the corporate network, make sure that the IP address that's resolved is a private IP address. The IP address should match one of the following patterns:
If the client is outside the corporate network, make sure that the IP address that's resolved is a public IP address. Make sure that it does not match one of the following patterns:
If the IP address that's resolved is incorrect based on step 1 and step 2, and other client computers don't experience the same behavior, do the following:
At the command prompt, type ipconfig /all, and then check that the Primary DNS Server entry is appropriate for the network to which the client is attached.
Open the %windir%\system32\drivers\etc\hosts file in Notepad, and then remove any entries for the AD FS FQDN. Then, save the file.
At the command prompt, type ipconfig /flushdns to clear the DNS cache.
Note If client devices are only attached to the corporate network, go to step 3.
Add the AD FS FQDN to the Proxy Bypass list. To do this, follow the steps in the following article in the Microsoft Knowledge Base:
Internet Explorer uses proxy server for local IP address even if the "Bypass Proxy Server for Local Addresses" option is turned on
Resolution 5: Third-party web browser doesn't support Extended Protection for Authentication, and you receive looping authentication prompts
To resolve this issue, follow these steps:
Use Windows Internet Explorer (Internet Explorer supports Extended Protection for Authentication) instead of a third-party web browser that doesn't support Extended Protection for Authentication.
If using Internet Explorer isn't an option, use the following Microsoft Knowledge Base article to configure AD FS to accept requests from web browsers that do not support Extended Protection for Authentication:
A federated user is repeatedly prompted for credentials during sign-in to Office 365, Windows Azure, or Windows Intune
Resolution 6: "Access Denied" error message when you try to connect to login.microsoftonline.com
Important This section contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
Problems may occur if the endpoint for Office 365 SSO that's used by AD FS isn't valid. Make sure that the federation endpoint isn't hard-coded in the registry of each server in the AD FS Federation service farm.
To resolve this issue, use Registry Editor to delete the following registry subkey: