When a federated user tries to sign in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune, the user receives the following error message from Active Directory Federation Services (AD FS):
There was a problem accessing the site. Try to browse to the site again. If the problem persists, contact the administrator of this site and provide the reference number to identify the problem. Reference number: <GUID>
When this error occurs, the web browser’s address bar points to the on-premises AD FS endpoint at an address that resembles the following:
To resolve this issue, use the method that's appropriate for your situation.
Scenario 1: The AD FS token-signing certificate expired
Collapse this imageExpand this image
Check whether the token-signing certificate is expired
To check whether the token-signing certificate is expired, follow these steps:
Click Start, click All Programs, click Administrative Tools, and then click AD FS (2.0) Management.
In the AD FS management console, click Service, click Certificates, and then examine the Effective and Expiration dates for the AD FS token-signing certificate.
If the certificate is expired, it has to be renewed to restore SSO authentication functionality.
Renew the token-signing certificate (if it has expired)
To renew the token-signing certificate on the primary AD FS server by using a self-signed certificate, follow these steps:
In the same AD FS management console, click Service, click Certificates, and then, under Certifications in the Actions pane, click Add Token-Signing Certificate.
If a "Certificates cannot be modified while the AD FS automatic certificate rollover feature is enabled" warning appears, go to step 3. Otherwise, check the certificate Effective and Expiration dates. If the certificate is successfully renewed, you don't have to perform steps 3 and 4.
If the certificate isn't renewed, click Start, point to All Programs, click Accessories, click the Windows PowerShell folder, right-click Windows PowerShell, and then click Run as administrator.
At the Windows PowerShell command prompt, enter the following commands. Press Enter after you enter each command:
Regardless of whether a self-signed or CA-signed certificate is used, you should finish restoring SSO authentication functionality. To do this, follow these steps:
Add Read access to the private key for the AD FS service account on the primary AD FS server. To do this, follow these steps:
Click Start, click Run, type mmc.exe, and then press Enter.
On the File menu, click Add/Remove Snap-in.
Double-click Certificates, select Computer account, and then click Next.
Select Local computer, click Finish, and then click OK.
Expand Certificates (Local Computer), expand Personal, and then click Certificates.
Right-click the new token-signing certificate, point to All Tasks, and then click Manage Private Keys.
Add Read access to the AD FS service account, and then click OK.
Exit the Certificates snap-in.
Update the new certificate's thumbprint and the date of the relying party trust with Azure AD. To do this, see the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:
How to update or repair the settings of a federated domain in Office 365, Azure, or Intune
Re-create the AD FS proxy trust configuration. To do this, follow these steps:
Restart the AD FS Windows Service on the primary AD FS server.
Wait 10 minutes for the certificate to replicate to all the members of the federation server farm, and then restart the AD FS Windows Service on the rest of the AD FS servers.
