PROBLEM
When you try to access a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune through a web-based client or a rich client application by using a federated account, authentication fails from a specific client computer.
When you use a web browser to access the cloud service portal from the same computer by using a federated account, you may experience one of the following symptoms:-
When you connect to the portal endpoint, you receive one of the following error messages:
Internet Explorer cannot display the webpage.
403 Page Not Found
-
When you connect to the Active Directory Federation Services (AD FS) endpoint, you receive one of the following error messages:
Internet Explorer cannot display the webpage
403 Page Not Found
-
You receive a certificate warning when you connect to the AD FS endpoint.
-
When you connect to the AD FS endpoint while you are logged in to the corporate domain, you receive a single credential prompt. This prompt for your credentials doesn't use forms-based authentication.
-
When you connect to the AD FS endpoint by using a third-party web browser, you receive looping authentication prompts. These prompts don't use forms-based authentication.
-
When you connect to the login.microsoftonline.com endpoint, you receive the following error message:
Access Denied
CAUSE
Usually, this issue occurs on a client computer or on a group of client devices. This issue may occur for all users and client computers if single sign-on (SSO) isn't fully functional. SSO might not be fully functional if the client settings weren't correctly set up. The following client device situations may cause this issue:
-
Network connectivity may be limited.
-
The client device is receiving incorrect name resolution for the AD FS Federation service from the internal split-brain DNS implementation.
-
If an Internet proxy server is configured on the computer, the AD FS Federation service name may not be added to the proxy bypass list.
-
The AD FS Federation service name may not be added to the Local Intranet security zone in Internet Options settings.
-
The client computer isn't authenticated to Active Directory Domain Services.
-
The third-party web browser doesn't support Extended Protection for Authentication to the AD FS Federation service.
-
The federation metadata endpoint may be hardcoded in the registry because of an earlier Office 365 Beta installation of the SSO Management Tool.
-
The required AD FS service endpoint that's required for a specific client application is disabled.
Before you continue, make sure that the following conditions are true:
-
Access problems aren't limited to rich client applications on the client computer. If only rich client authentication (as opposed to browser-based authentication) isn't working, it more likely indicates a rich client authentication issue. For example, it may be an issue that's related to the prerequisites or the configuration of the rich-client application. For more information, see the following Microsoft Knowledge Base article:
2637629 How to troubleshoot non-browser apps that can’t sign in to Office 365, Azure, or Intune
-
SSO authentication doesn't fail for all SSO-enabled user accounts. If all SSO-enabled users experience the same symptoms, it more likely indicates a federation issue. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2530569 Troubleshoot single sign-on setup issues in Office 365, Intune, or Azure
-
SSO authentication for the user account succeeds on other client computers. If the user account can't log on to any cloud services client, see the resolutions later in this article that involve the client computer. Also, explore the possibility that there's something wrong with the user account and not with the client computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2530590 Troubleshoot account issues for federated users in Office 365, Azure, or Intune
-
The keyboard on the client computer is working correctly, and the user name and password, where it's necessary, were entered correctly.
SOLUTION
To troubleshoot this issue, use one or more of the following methods, depending on the cause of the issue.
Resolution 1: Can't connect to cloud service portal or to AD FS
Try to browse to http://www.msn.com. If this doesn't work, troubleshoot network connectivity issues. To do this, follow these steps:
-
At a command prompt, use the ipconfig and ping tools to troubleshoot IP connectivity. For more information, see the following Microsoft Knowledge Base article:
169790 How to troubleshoot basic TCP/IP problems.
-
At a command prompt, type nslookup www.msn.com to determine whether DNS is resolving Internet server names.
-
Make sure that Internet Options proxy settings reflect the appropriate proxy server if a proxy server is used in the local network.
-
If a Forefront Threat Management Gateway (TMG) firewall is installed on the boundary of the network, and the firewall requires client authentication, you may have to install a Forefront TMG Client program on the client device for Internet access. Contact your cloud service admin for help with this.
Resolution 2: Can't connect to AD FS
To resolve this issue, follow these steps:
-
Eliminate IP connectivity problems by using Resolution 1.
-
At the command prompt, type nslookup <AD FS 2.0 FQDN>, and then press Enter to determine whether DNS is resolving the AD FS service name correctly.
Note In this command, <AD FS FQDN> represents the fully qualified domain name (FQDN) of the AD FS service name. It doesn't represent the Windows host name of the AD FS server.-
If the client is attached to the corporate network, make sure that the IP address that's resolved is a private IP address. The IP address should match one of the following patterns:
-
10.x.x.x
-
172.16.x.x
-
192.168.x.x
-
-
If the client is outside the corporate network, make sure that the IP address that's resolved is a public IP address. Make sure that it does not match one of the following patterns:
-
10.x.x.x
-
172.16.x.x
-
192.168.x.x
-
-
If the IP address that's resolved is incorrect based on step 1 and step 2, and other client computers don't experience the same behavior, do the following:
-
At the command prompt, type ipconfig /all, and then check that the Primary DNS Server entry is appropriate for the network to which the client is attached.
-
Open the %windir%\system32\drivers\etc\hosts file in Notepad, and then remove any entries for the AD FS FQDN. Then, save the file.
-
At the command prompt, type ipconfig /flushdns to clear the DNS cache.
-
Note If client devices are only attached to the corporate network, go to step 3.
-
-
Add the AD FS FQDN to the Proxy Bypass list. To do this, follow the steps in the following article in the Microsoft Knowledge Base:
262981 Internet Explorer uses proxy server for local IP address even if the "Bypass Proxy Server for Local Addresses" option is turned on
Resolution 3: Certificate warning when you connect to the AD FS endpoint
To resolve this issue, troubleshoot Secure Sockets Layer (SSL) certificate issues by using the following article in the Microsoft Knowledge Base:
2523494 You receive a certificate warning from AD FS when you try to sign in to Office 365, Azure, or Intune
Resolution 4: You receive a single, unexpected credential prompt when you log on from a client computer that's connected to the corporate network
To resolve this issue, follow these steps:
-
Make sure that the client computer is successfully logged on to the domain.
-
Click Start, click Run, type %logonserver%\sysvol, and then click OK.
-
If a credential prompt appears, log off and then log back on by using corporate credentials.
-
-
Add the AD FS FQDN to the Local intranet zone.
-
On the Security tab, click Local Intranet, and then click Sites.
-
Click Advanced, and then examine the Websites listing for the fully qualified DNS name of the AD FS service endpoint (for example, sts.contoso.com).
Note A wildcard value, such as "*.consoto.com" will also work in this configuration.
-
-
Add the AD FS FQDN to the Proxy Bypass list. To do this, follow the steps in the following article in the Microsoft Knowledge Base:
262981 Internet Explorer uses proxy server for local IP address even if the "Bypass Proxy Server for Local Addresses" option is turned on
Resolution 5: Third-party web browser doesn't support Extended Protection for Authentication, and you receive looping authentication prompts
To resolve this issue, follow these steps:
-
Use Windows Internet Explorer (Internet Explorer supports Extended Protection for Authentication) instead of a third-party web browser that doesn't support Extended Protection for Authentication.
-
If using Internet Explorer isn't an option, use the following Microsoft Knowledge Base article to configure AD FS to accept requests from web browsers that do not support Extended Protection for Authentication:
2461628 A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Intune
Resolution 6: "Access Denied" error message when you try to connect to login.microsoftonline.com
Important This section contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in WindowsProblems may occur if the endpoint for Azure Active Directory SSO that's used by AD FS isn't valid. Make sure that the federation endpoint isn't hard-coded in the registry of each server in the AD FS Federation service farm. To resolve this issue, use Registry Editor to delete the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\MOCHA\IdentityFederationAD FS will fall back to the correct endpoint based on the SSO Relying Party Trust.
Resolution 7: Reset disabled AD FS service endpoint setting to default configuration
For more information about how to do this, see the following Microsoft Knowledge Base article:
2712957 Sign in to Office 365, Azure, or Intune fails after you change the federation service endpoint
Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.