Note Not all federated user authentication experiences are without a credential prompt. In certain scenarios, it's by design and expected that federated users are prompted to enter their credentials. Make sure that the credential prompt is unexpected before you continue.
- An internal client resolves the Active Directory Federation Services (AD FS) endpoint to the IP address of the AD FS proxy service instead of to the IP address of the AD FS federation service.
- The security settings in Internet Explorer are not configured for single sign-on to AD FS.
- The proxy server settings in Internet Explorer are not configured for single sign-on to AD FS.
- The Internet Information Services (IIS) authentication settings on the AD FS server are configured incorrectly.
- The web browser does not support integrated Windows authentication.
- The client computer cannot connect to the on-premises Active Directory domain.
Method 1: Make sure that the DNS server has a host record for the AD FS endpointMake sure that the DNS server has a host record for the AD FS endpoint that is appropriate to the client computer that is experiencing this issue. For internal clients, this means that the internal DNS server should resolve the AD FS endpoint name to an internal IP address. For Internet clients, this means that the endpoint name should resolve to a public IP address. To test this on the client, follow these steps:
- Click Start, click Run, type cmd, and then press Enter.
- At the command prompt, type the following command, where the placeholder sts.contoso.com represents the AD FS endpoint name:
- If the output of the command shows an incorrect IP address, update the A record on the internal or external DNS server. For more information about how to do this, see the following article in the Microsoft Knowledge Base:2419389 Internet browser can't display the AD FS webpage when a federated user tries to sign in to Office 365, Azure, or Intune
Method 2: Check the local intranet zone and proxy server settings in Internet ExplorerUse one of the following procedures, as appropriate for your situation.
Procedure ACheck the local intranet zone and proxy server settings in Internet Explorer. To do this, follow these steps:
- Start Internet Explorer.
- On the Tools menu, click Internet Options.
- Click the Security tab, click the Local intranet zone, and then click Sites.
- In the Local intranet dialog box, click Advanced. In the Websites list, make sure that an entry (such as sts.contoso.com) exists for the fully qualified DNS name of the AD FS service endpoint.
- Click Close, and then click OK.
Note Use the following additional steps only if a network administrator configured a web proxy server in the on-premises environment:
- Click the Connections tab, and then click LAN Settings.
- Under Automatic configuration, click to clear the Automatically detect settings check box, and then click to clear the Use automatic configuration script check box.
- Under Proxy server, click to select the Use a proxy server for your LAN check box, type the proxy server address and the port that it uses, and then click Advanced.
- Under Exceptions, add your AD FS endpoint (such as sts.contoso.com).
- Click OK three times.
Procedure BManually configure the security settings for the security zone in Internet Explorer. The default security setting that causes the local intranet zone not to prompt for Windows authentication can be configured manually for any security zone in Internet Explorer. To customize the security zone of which the AD FS service name is already a part, follow these steps:
Warning We highly discourage this configuration because it could result in the unintended submission of Integrated Windows Authentication traffic to websites.
- Start Internet Explorer.
- On the Tools menu, click Internet options.
- Click the Security tab, select the security zone in which the AD FS service name is already contained, and then click Custom level.
- In the Security Settings dialog box, scroll to the bottom to locate the User Authentication entry.
- Under Logon, click Automatic logon with current user name and password.
- Click OK two times.
Method 3: Check the IIS authentication settings for the AD FS federation service and proxy serviceVerify that the IIS authentication settings for the AD FS federation and proxy services are configured correctly. For more information, see the following article in the Microsoft Knowledge Base:
Method 4: Use Internet Explorer or a third-party web browserUse Internet Explorer or a third-party web browser that supports integrated Windows authentication.
Method 5: Verify connectivity to Active DirectoryLog off from the client computer and then log on as an Active Directory user. If logon is successful, verify the connectivity to Active Directory by using the Nltest command-line tool. To use the Nltest tool, you must have Windows Server 2003 Support Tools installed on the computer.
- At a command prompt, type the following command, and then press Enter:Nltest /dsgetdc:<FQDN Of Domain>If the settings are correct, you receive output that resembles the following:
DC: \\DC.contoso.com Address: \\192.168.1.10 Dom Guid: a3bd534c-19e9-4880-81ad-a8ee34cd4526
Dom Name: contoso.com Forest Name: contoso.com Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE
DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully
- Check the computer's site membership. To do this, type the following command, and then press Enter:nltest /dsgetsiteA successful result resembles the following:
Default-First-Site-Name The command completed successfully
The experience for logging on to Microsoft Outlook connections is also not expected to be a single sign-on experience.