After you change Active Directory Federation Services (AD FS) service endpoint settings in the AD FS Management Console, single sign-on (SSO) authentication to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune fails, and you experience one of the following symptoms:
- Federated users can't sign in to Office 365, Azure, or Intune by using rich client applications.
- Browser applications repeatedly prompt users for credentials when they try to authenticate to AD FS during SSO authentication.
This issue may occur if one of the following conditions is true:
- The AD FS service endpoints are inappropriately configured.
- Kerberos authentication on the AD FS server is broken.
To resolve this issue, use one of the following methods, as appropriate for your situation.
Resolution 1: Restore the default AD FS service endpoint configurationTo restore AD FS default service endpoint settings, follow these steps on the primary AD FS server:
- Open the AD FS Management Console, and in the left navigation pane, browse to AD FS (2.0), then Service, and then Endpoints.
- Examine the endpoints list, and make sure that the entries in this list are enabled as indicated (at a minimum):
URL Path Enabled Proxy enabled /adfs/ls/ Yes Not applicable /adfs/services/trust/2005/windowstransport/ Yes Yes /adfs/services/trust/2005/certificatemixed Yes Yes /adfs/services/trust/2005/certificatetransport Yes Yes /adfs/services/trust/2005/usernamemixed Yes Yes /adfs/services/trust/2005/kerberosmixed Yes No /adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256 Yes Yes /adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256 Yes Yes /adfs/services/trust/13/kerberosmixed Yes No /adfs/services/trust/13/certificatemixed Yes Yes /adfs/services/trust/13/usernamemixed Yes Yes /adfs/services/trust/13/ issuedtokenmixedasymmetricbasic256 Yes Yes /adfs/services/trust/13/ issuedtokenmixedsymmetricbasic256 Yes Yes /adfs/services/trsuttcp/windows Yes No /adfs/services/trust/mex Yes Yes /FederationMetadat/2007-06/FederationMetadata.xml Yes Yes /adfs/ls/federationserverservice.asmx Yes No
- If an item in the list doesn't match the default settings in the previous table, right-click the entry, and then select Enable or Enable on Proxy as necessary.
Resolution 2: Troubleshoot Kerberos authentication issuesFor more info about how to troubleshoot Kerberos authentication issues, see the following Microsoft Knowledge Base article:
2461628 A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Intune
Article ID: 2712957 - Last Review: Dec 16, 2016 - Revision: 1
Microsoft Azure Cloud Services, Microsoft Azure Active Directory, Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Office 365 Identity Management