Article ID: 2419389 - View products that this article applies to.
When a federated user tries to sign in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune, the Internet browser can't display the Active Directory Federation Services (AD FS) sign-in webpage. Additionally, the user may receive an error message. For example, if the user is using Internet Explorer, the user may receive the following error message:
When this error occurs, the address that's displayed in the web browser resembles the following address:
Internet Explorer cannot display the webpage.
This issue may occur if the user can't contact the on-premises AD FS federation server or the Internet-facing AD FS Federation server proxy. This can occur when the AD FS Federation Service stops running or when IP connectivity is marginalized.
Before you begin to resolve this issue, determine the AD FS endpoint address for the on-premises federation server, and then determine which server is having problems.
Determine the AD FS endpoint address for the on-premises federation serverTo do this, follow these steps on a domain-connected computer that has Azure Active Directory Module for Windows PowerShell installed:
Determine the server that's having problemsScope the issue. To do this, determine the server that's having problems. If only Internet clients are having problems, troubleshoot the AD FS Federation server proxy first. If corporate network clients are also having problems, troubleshoot the AD FS federation server first.
After you determine which server is having problems, follow these steps on the appropriate AD FS server:
Step 1: Make sure that the on-premises AD FS federation server is running
Step 2: Make sure that the web server is running on the appropriate AD FS server
Step 3: Make sure that DNS has a host record for the AD FS endpoint that's appropriate to the client that's having problemsFor internal clients, internal DNS should resolve the AD FS endpoint name to an internal IP address (for example, sts.contoso.com A 192.168.1.104.). For Internet clients, the endpoint name should resolve to a public IP address. This can be tested on the client by using the following procedure. If the on-premises network contains a proxy server, try to add the AD FS endpoint by using Internet Options in Internet Explorer.
Step 4: Try to add the AD FS server name as an exception in the Internet proxy settings in Internet Explorer on the client computerIf the on-premises network contains a proxy, and if only internal clients are having problems with AD FS access, try to add the AD FS server name as an exception in the Internet proxy settings in Internet Explorer. To do this, follow these steps on the client computer:
The Windows PowerShell commands in this article require the Azure Active Directory Module for Windows PowerShell. For more information about Azure Active Directory Module for Windows PowerShell, go to Manage Azure AD using Windows PowerShell
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2419389 - Last Review: February 19, 2015 - Revision: 47.0