"Your organization could not sign you in to this service" error and "80041034" error code when a federated user tries to sign in to the Office 365 portal

Article ID: 2535191 - View products that this article applies to.

Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
(http://office.microsoft.com/redir/HA103982331.aspx)
Expand all | Collapse all

PROBLEM

When a federated user tries to sign in to Microsoft Office 365 from a sign-in webpage whose URL starts with https://login.microsoftonline.com/login, authentication for that user is unsuccessful. The user receives the following error message:
Your organization could not sign you in to this service
When you follow the steps in the following Microsoft Knowledge Base article to identify the Windows Azure Active Directory (Windows Azure AD) authentication system error code, you discover that an 80041034 error code was generated during the user's sign-in attempt.
2615736
(http://support.microsoft.com/kb/2615736/ )
Error message from login.microsoftonline.com when a user tries to sign in to Office 365
Back to the top | Give Feedback

CAUSE

This issue may occur if one of the following conditions is true:
  • A user’s UPN was updated, and old sign-in information was cached on the Active Directory Federation Services (AD FS) 2.0 server. When the SAM account of the user is changed, the cached sign-in information may cause problems the next time that the user tries to access Office 365 services.
  • The claims that are set up in the relying party trust with Windows Azure AD return unexpected data. This behavior may occur when the claims that are associated with the relying party trust are manually edited or removed.
Back to the top | Give Feedback

SOLUTION

Resolution 1: Disable Local Security Authority (LSA) credential caching on the AD FS server

You can update the LSA cache time-out setting on the AD FS 2.0 server to disable caching of Active Directory credential info. Use this method with caution. It may put an additional load on the server and Active Directory.

Important This method contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more info about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows
To fix this issue, follow these steps:
  1. Make sure that the changes to the user’s UPN are synced to Office 365 through directory synchronization.
  2. Direct the user to log off the computer and then log on again.
  3. If steps 1 and 2 don't resolve the issue, follow these steps:
    1. Open Registry Editor, and then locate the following subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    2. Right-click Lsa, click New, and then click DWORD Value.
    3. Type LsaLookupCacheMaxSize, and then press ENTER to name the new value.
    4. Right-click LsaLookupCacheMaxSize, and then click Modify.
    5. In the Value data box, type 0, and then click OK.
    6. Exit Registry Editor.
LsaLookupCacheMaxSize reconfiguration can affect sign-in performance, and this reconfiguration isn't needed after the symptoms subside. This method should be used only temporarily, and we strongly recommend that you delete the LsaLookupCacheMaxSize value after the issue is resolved. To do this, follow these steps:
  1. Open Registry Editor, and then locate the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Right-click LsaLookupCacheMaxSize, and then click Delete.
  3. Exit Registry Editor.

Resolution 2: Update the relying party trust with Windows Azure AD

To update the relying party trust, see the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:
2647048
(http://support.microsoft.com/kb/2647048/ )
How to update or to repair the configuration of the Office 365 federated domain
Back to the top | Give Feedback

MORE INFORMATION

Still need help? Go to the Office 365 Community
(http://community.office365.com/)
website.
Back to the top | Give Feedback

Properties

Article ID: 2535191 - Last Review: May 15, 2013 - Revision: 24.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Windows Azure Active Directory
Keywords: 
o365 o365a mosdal4.5 o365e o365022013 after upgrade o365062011 pre-upgrade o365m KB2535191
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top