When you try to access a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune through a web-based client or a rich client application by using a federated account, authentication fails from a specific client computer.
When you use a web browser to access the cloud service portal from the same computer by using a federated account, you may experience one of the following symptoms:
When you connect to the portal endpoint, you receive one of the following error messages:
Internet Explorer cannot display the webpage.
403 Page Not Found
When you connect to the Active Directory Federation Services (AD FS) endpoint, you receive one of the following error messages:
Internet Explorer cannot display the webpage
403 Page Not Found
You receive a certificate warning when you connect to the AD FS endpoint.
When you connect to the AD FS endpoint while you are logged in to the corporate domain, you receive a single credential prompt. This prompt for your credentials doesn't use forms-based authentication.
When you connect to the AD FS endpoint by using a third-party web browser, you receive looping authentication prompts. These prompts don't use forms-based authentication.
When you connect to the login.microsoftonline.com endpoint, you receive the following error message:
Usually, this issue occurs on a client computer or on a group of client devices. This issue may occur for all users and client computers if single sign-on (SSO) isn't fully functional. SSO might not be fully functional if the client settings weren't correctly set up. The following client device situations may cause this issue:
Network connectivity may be limited.
The client device is receiving incorrect name resolution for the AD FS Federation service from the internal split-brain DNS implementation.
If an Internet proxy server is configured on the computer, the AD FS Federation service name may not be added to the proxy bypass list.
The AD FS Federation service name may not be added to the Local Intranet security zone in Internet Options settings.
The client computer isn't authenticated to Active Directory Domain Services.
The third-party web browser doesn't support Extended Protection for Authentication to the AD FS Federation service.
The federation metadata endpoint may be hardcoded in the registry because of an earlier Office 365 Beta installation of the SSO Management Tool.
The required AD FS service endpoint that's required for a specific client application is disabled.
Before you continue, make sure that the following conditions are true:
Access problems aren't limited to rich client applications on the client computer. If only rich client authentication (as opposed to browser-based authentication) isn't working, it more likely indicates a rich client authentication issue. For example, it may be an issue that's related to the prerequisites or the configuration of the rich-client application. For more information, see the following Microsoft Knowledge Base article:
How to troubleshoot non-browser apps that can’t sign in to Office 365, Azure, or Intune
SSO authentication doesn't fail for all SSO-enabled user accounts. If all SSO-enabled users experience the same symptoms, it more likely indicates a federation issue. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
SSO authentication for the user account succeeds on other client computers. If the user account can't log on to any cloud services client, see the resolutions later in this article that involve the client computer. Also, explore the possibility that there's something wrong with the user account and not with the client computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
At a command prompt, type nslookup www.msn.com to determine whether DNS is resolving Internet server names.
Make sure that Internet Options proxy settings reflect the appropriate proxy server if a proxy server is used in the local network.
If a Forefront Threat Management Gateway (TMG) firewall is installed on the boundary of the network, and the firewall requires client authentication, you may have to install a Forefront TMG Client program on the client device for Internet access. Contact your cloud service admin for help with this.
Resolution 2: Can't connect to AD FS
To resolve this issue, follow these steps:
Eliminate IP connectivity problems by using Resolution 1.
At the command prompt, type nslookup <AD FS 2.0 FQDN>, and then press Enter to determine whether DNS is resolving the AD FS service name correctly.
Note In this command, <AD FS FQDN> represents the fully qualified domain name (FQDN) of the AD FS service name. It doesn't represent the Windows host name of the AD FS server.
If the client is attached to the corporate network, make sure that the IP address that's resolved is a private IP address. The IP address should match one of the following patterns:
If the client is outside the corporate network, make sure that the IP address that's resolved is a public IP address. Make sure that it does not match one of the following patterns:
If the IP address that's resolved is incorrect based on step 1 and step 2, and other client computers don't experience the same behavior, do the following:
At the command prompt, type ipconfig /all, and then check that the Primary DNS Server entry is appropriate for the network to which the client is attached.
Open the %windir%\system32\drivers\etc\hosts file in Notepad, and then remove any entries for the AD FS FQDN. Then, save the file.
At the command prompt, type ipconfig /flushdns to clear the DNS cache.
Note If client devices are only attached to the corporate network, go to step 3.
Add the AD FS FQDN to the Proxy Bypass list. To do this, follow the steps in the following article in the Microsoft Knowledge Base:
Internet Explorer uses proxy server for local IP address even if the "Bypass Proxy Server for Local Addresses" option is turned on
Resolution 5: Third-party web browser doesn't support Extended Protection for Authentication, and you receive looping authentication prompts
To resolve this issue, follow these steps:
Use Windows Internet Explorer (Internet Explorer supports Extended Protection for Authentication) instead of a third-party web browser that doesn't support Extended Protection for Authentication.
If using Internet Explorer isn't an option, use the following Microsoft Knowledge Base article to configure AD FS to accept requests from web browsers that do not support Extended Protection for Authentication:
A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Intune
Resolution 6: "Access Denied" error message when you try to connect to login.microsoftonline.com
Important This section contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
Problems may occur if the endpoint for Azure Active Directory SSO that's used by AD FS isn't valid. Make sure that the federation endpoint isn't hard-coded in the registry of each server in the AD FS Federation service farm.
To resolve this issue, use Registry Editor to delete the following registry subkey: