Article ID: 2712957 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

After you change Active Directory Federation Services (AD FS) service endpoint settings in the AD FS Management Console, single sign-on (SSO) authentication to a Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune fails, and you experience one of the following symptoms:
  • Federated users can't sign in to Office 365, Azure, or Windows Intune by using rich client applications.
  • Browser applications repeatedly prompt users for credentials when they try to authenticate to AD FS during SSO authentication.

CAUSE

This issue may occur if one of the following conditions is true:
  • The AD FS service endpoints are inappropriately configured.
  • Kerberos authentication on the AD FS server is broken.

SOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation.

Resolution 1: Restore the default AD FS service endpoint configuration

To restore AD FS default service endpoint settings, follow these steps on the primary AD FS server:
  1. Open the AD FS Management Console, and in the left navigation pane, browse to AD FS (2.0), then Service, and then Endpoints.

    Collapse this imageExpand this image
    Screen shot of Endpoints under service in AD FS 2.0 Management Console

  2. Examine the endpoints list, and make sure that the entries in this list are enabled as indicated (at a minimum):

    Collapse this tableExpand this table
    URL PathEnabledProxy enabled
    /adfs/ls/YesNot applicable
    /adfs/services/trust/2005/windowstransport/YesYes
    /adfs/services/trust/2005/certificatemixedYesYes
    /adfs/services/trust/2005/certificatetransportYesYes
    /adfs/services/trust/2005/usernamemixedYesYes
    /adfs/services/trust/2005/kerberosmixedYesNo
    /adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256YesYes
    /adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256YesYes
    /adfs/services/trust/13/kerberosmixedYesNo
    /adfs/services/trust/13/certificatemixedYesYes
    /adfs/services/trust/13/usernamemixedYesYes
    /adfs/services/trust/13/ issuedtokenmixedasymmetricbasic256YesYes
    /adfs/services/trust/13/ issuedtokenmixedsymmetricbasic256YesYes
    /adfs/services/trsuttcp/windowsYesNo
    /adfs/services/trust/mexYesYes
    /FederationMetadat/2007-06/FederationMetadata.xmlYesYes
    /adfs/ls/federationserverservice.asmxYesNo
  3. If an item in the list doesn't match the default settings in the previous table, right-click the entry, and then select Enable or Enable on Proxy as necessary.

Resolution 2: Troubleshoot Kerberos authentication issues

For more info about how to troubleshoot Kerberos authentication issues, see the following Microsoft Knowledge Base article:
2461628 A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Windows Intune 

MORE INFORMATION

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2712957 - Last Review: July 9, 2014 - Revision: 18.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a mosdal4.5 o365e kbgraphxlink o365022013 o365m kbgraphic KB2712957

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com