- Federated users can't sign in to Office 365, Azure, or Intune by using rich client applications.
- Browser applications repeatedly prompt users for credentials when they try to authenticate to AD FS during SSO authentication.
- The AD FS service endpoints are inappropriately configured.
- Kerberos authentication on the AD FS server is broken.
Resolution 1: Restore the default AD FS service endpoint configurationTo restore AD FS default service endpoint settings, follow these steps on the primary AD FS server:
- Open the AD FS Management Console, and in the left navigation pane, browse to AD FS (2.0), then Service, and then Endpoints.
- Examine the endpoints list, and make sure that the entries in this list are enabled as indicated (at a minimum):
URL Path Enabled Proxy enabled /adfs/ls/ Yes Not applicable /adfs/services/trust/2005/windowstransport/ Yes Yes /adfs/services/trust/2005/certificatemixed Yes Yes /adfs/services/trust/2005/certificatetransport Yes Yes /adfs/services/trust/2005/usernamemixed Yes Yes /adfs/services/trust/2005/kerberosmixed Yes No /adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256 Yes Yes /adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256 Yes Yes /adfs/services/trust/13/kerberosmixed Yes No /adfs/services/trust/13/certificatemixed Yes Yes /adfs/services/trust/13/usernamemixed Yes Yes /adfs/services/trust/13/ issuedtokenmixedasymmetricbasic256 Yes Yes /adfs/services/trust/13/ issuedtokenmixedsymmetricbasic256 Yes Yes /adfs/services/trsuttcp/windows Yes No /adfs/services/trust/mex Yes Yes /FederationMetadat/2007-06/FederationMetadata.xml Yes Yes /adfs/ls/federationserverservice.asmx Yes No
- If an item in the list doesn't match the default settings in the previous table, right-click the entry, and then select Enable or Enable on Proxy as necessary.
Resolution 2: Troubleshoot Kerberos authentication issuesFor more info about how to troubleshoot Kerberos authentication issues, see the following Microsoft Knowledge Base article:
Article ID: 2712957 - Last Review: 16 Dec 2016 - Revision: 1