After you change Active Directory Federation Services (AD FS) service endpoint settings in the AD FS Management Console, single sign-on (SSO) authentication to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune fails, and you experience one of the following symptoms:
- Federated users can't sign in to Office 365, Azure, or Intune by using rich client applications.
- Browser applications repeatedly prompt users for credentials when they try to authenticate to AD FS during SSO authentication.
This issue may occur if one of the following conditions is true:
- The AD FS service endpoints are inappropriately configured.
- Kerberos authentication on the AD FS server is broken.
To resolve this issue, use one of the following methods, as appropriate for your situation.
Resolution 1: Restore the default AD FS service endpoint configuration
To restore AD FS default service endpoint settings, follow these steps on the primary AD FS server:
- Open the AD FS Management Console, and in the left navigation pane, browse to AD FS (2.0), then Service, and then Endpoints.
Collapse this imageExpand this image
- Examine the endpoints list, and make sure that the entries in this list are enabled as indicated (at a minimum):
Collapse this tableExpand this table
|URL Path||Enabled||Proxy enabled|
- If an item in the list doesn't match the default settings in the previous table, right-click the entry, and then select Enable or Enable on Proxy as necessary.
Resolution 2: Troubleshoot Kerberos authentication issues
For more info about how to troubleshoot Kerberos authentication issues, see the following Microsoft Knowledge Base article:
A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Intune
Still need help? Go to the Office 365 Community
website or the Azure Active Directory Forums
Article ID: 2712957 - Last Review: October 27, 2014 - Revision: 19.0
- Microsoft Azure cloud services
- Microsoft Azure Active Directory
- Microsoft Office 365
- Microsoft Intune
- CRM Online via Office 365 E Plans
- Microsoft Azure Recovery Services
- Office 365 Identity Management
|o365 o365a mosdal4.5 o365e kbgraphxlink o365022013 o365m kbgraphic KB2712957|