Please try again in a few minutes. If this doesn't work, you might want to contact your admin and report the following error:
80041317 or 80043431
Note This can occur after the token-signing certificate is renewed on-premises without updating federation trust data.
To verify that this is the cause of the issue that you're experiencing, follow these steps on a domain-joined computer:
- Verify the mismatched attribute between the AD FS service and the Microsoft cloud service. To do this, follow these steps:
- Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
- At the command prompt, type the following commands. Make sure that you press Enter after you type each command:
$cred = get-credential
Note When you're prompted, enter your cloud service admin credentials.
Set-MSOLADFSContext –Computer:<AD FS 2.0 Server Name>
Note In this command, the placeholder <AD FS 2.0 Server Name> represents the Windows host name of the primary AD FS server.
Get-MsolFederationProperty -domainname: <Federated Domain Name>
Note In this command, the <Federated Domain Name> placeholder represents the name of the domain that's already federated with the cloud service for single sign-on (SSO).
Note The command output is divided into the following two sections:
- The first line of the first section reads "Source: AD FS Server" and represents the configuration that's stored in the local AD FS service.
- The first line of the second section reads "Source: <Microsoft cloud service>" and represents the configuration that's stored in the identity service.
- Compare the values of each attribute in the two sections to determine whether the values are mismatched. If the values are mismatched, the federated domain configuration has to be updated.
Method 1: Update the configuration of the federated domainFor more information about how to do this, see the "How to update the configuration of the Office 365 federated domain" section of the following article in the Microsoft Knowledge Base：
Method 2: Repair the configuration of the federated domainIf method 1 doesn't resolve the issue, try to repair the federated trust. For more information about how to do this, see the "How to repair the configuration of the Office 365 federated domain" section of the following article in the Microsoft Knowledge Base:
Method 3: Manually update the attributes by using the Azure Active Directory Module for Windows PowerShellIf methods 1 and 2 don't resolve the issue, try to manually update the mismatched attributes. In the Windows PowerShell connection that you used to diagnose the issue, run the appropriate cmdlet from the following table:
|Mismatched attributes||Error code||Command to update attribute||Notes|
Set-MSOLDomainFederationSettings -domainname <Domain.suffix> -issueruri <newURI>
|The placeholder <Domain.suffix> represents the federated domain name.|
The placeholder <newURI> represents the URI value of the on-premises FederationServiceIdentifier attribute (listed first in the output of the Get-MsolFederationProperty cmdlet).
Article ID: 2647020 - Last Review: Dec 16, 2016 - Revision: 1