Article ID: 2712961 - View products that this article applies to.
When users sign in to a Microsoft cloud service such as Office 365, Microsoft Intune, or Microsoft Azure by using a federated user account, the connection to the Active Directory Federation Services (AD FS) service fails only when users try to do the following:
For more information about how to run the Remote Connectivity Analyzer to test SSO authentication in Office 365, see the following articles in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/2650717/ )How to use Remote Connectivity Analyzer to troubleshoot single sign-on issues for Office 365, Azure, or Intune
(https://support.microsoft.com/kb/2466333/ )Federated users can't connect to an Exchange Online mailbox
These failures can occur if the AD FS service isn't exposed correctly to the Internet. Typically, the AD FS proxy server is used for this purpose, and problems with the AD FS proxy server will cause these symptoms. Common problems include the following:
To resolve this issue, use one of the following methods, as appropriate for your situation, on all malfunctioning AD FS proxy servers.
Method 1: Fix AD FS SSL certificate issues on the AD FS serverTo do this, follow these steps:
Method 2: Reset the AD FS proxy server IIS authentication settings to defaultTo do this, follow the steps that are described in Resolution 1 of the following Microsoft Knowledge Base article for the AD FS proxy server:
(https://support.microsoft.com/kb/2461628/ )A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Intune
Method 3: Rerun the AD FS Proxy Configuration wizardTo do this, rerun the AD FS Federation Server Proxy Configuration Wizard from the Administrative Tools interface of all affected AD FS proxy servers.
Note It's usual to receive a warning from the "Deploy browser sign-in Web site" step when you rerun the configuration wizard. This isn't an indication that the wizard did not rebuild the trust between the AD FS proxy server and the AD FS Federation Service.
For more info about how to expose the AD FS service to the Internet by using an AD FS proxy server, go to the following Microsoft website:
Plan for and deploy AD FS 2.0 for use with single sign-on
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2712961 - Last Review: December 12, 2014 - Revision: 21.0