You are currently offline, waiting for your internet to reconnect

Sign in to Office 365, Azure, or Intune fails after you change the federation service endpoint

PROBLEM
After you change Active Directory Federation Services (AD FS) service endpoint settings in the AD FS Management Console, single sign-on (SSO) authentication to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune fails, and you experience one of the following symptoms:
  • Federated users can't sign in to Office 365, Azure, or Intune by using rich client applications.
  • Browser applications repeatedly prompt users for credentials when they try to authenticate to AD FS during SSO authentication.
CAUSE
This issue may occur if one of the following conditions is true:
  • The AD FS service endpoints are inappropriately configured.
  • Kerberos authentication on the AD FS server is broken.
SOLUTION
To resolve this issue, use one of the following methods, as appropriate for your situation.

Resolution 1: Restore the default AD FS service endpoint configuration

To restore AD FS default service endpoint settings, follow these steps on the primary AD FS server:
  1. Open the AD FS Management Console, and in the left navigation pane, browse to AD FS (2.0), then Service, and then Endpoints.

    Screen shot of Endpoints under service in AD FS 2.0 Management Console
  2. Examine the endpoints list, and make sure that the entries in this list are enabled as indicated (at a minimum):

    URL PathEnabledProxy enabled
    /adfs/ls/YesNot applicable
    /adfs/services/trust/2005/windowstransport/YesYes
    /adfs/services/trust/2005/certificatemixedYesYes
    /adfs/services/trust/2005/certificatetransportYesYes
    /adfs/services/trust/2005/usernamemixedYesYes
    /adfs/services/trust/2005/kerberosmixedYesNo
    /adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256YesYes
    /adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256YesYes
    /adfs/services/trust/13/kerberosmixedYesNo
    /adfs/services/trust/13/certificatemixedYesYes
    /adfs/services/trust/13/usernamemixedYesYes
    /adfs/services/trust/13/ issuedtokenmixedasymmetricbasic256YesYes
    /adfs/services/trust/13/ issuedtokenmixedsymmetricbasic256YesYes
    /adfs/services/trsuttcp/windowsYesNo
    /adfs/services/trust/mexYesYes
    /FederationMetadat/2007-06/FederationMetadata.xmlYesYes
    /adfs/ls/federationserverservice.asmxYesNo
  3. If an item in the list doesn't match the default settings in the previous table, right-click the entry, and then select Enable or Enable on Proxy as necessary.

Resolution 2: Troubleshoot Kerberos authentication issues

For more info about how to troubleshoot Kerberos authentication issues, see the following Microsoft Knowledge Base article:
2461628 A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Intune 

MORE INFORMATION
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 2712957 - Last Review: 12/12/2014 09:50:00 - Revision: 20.0

  • Microsoft Azure cloud services
  • Microsoft Azure Active Directory
  • Microsoft Office 365
  • Microsoft Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
  • o365 o365a mosdal4.5 o365e kbgraphxlink o365022013 o365m kbgraphic KB2712957
Feedback