ADFS 2.0 error: This page cannot be displayed

Summary

Most Active Directory Federated Services (AD FS) 2.0 problems belong to one of the following main categories. This article contains step-by-step instructions to troubleshoot connectivity problems.

Symptoms

Symptom 1

When you try to access a web application on a website that uses Active Directory Federation Services (AD FS) 2.0, you receive the following error message:

This page cannot be displayed.


Symptom 2

You cannot access the following IDP-initiated sign-on page and AD FS metadata:

https://ADFSServiceName/federationmetadata/2007-06/federationmetadata.xml

https://ADFSServiceName/adfs/ls/idpinitiatedsignon.aspx

Resolution

To resolve this problem, follow these steps in the order given. These steps will help you to determine the cause of the problem. Make sure that you check whether the problem is resolved after every step.

Step 1: Check whether the client is redirected to the correct AD FS URL

How to check

  1. Start Internet Explorer.
  2. Press F12 to open the developer tools window.
  3. On the Network tab, click the start button (The screenshot of the start button ) or press Start capturing to enable network traffic capturing.
  4. Browse to the URL of the web application.
  5. Examine the network traces to see that the client is redirected to the URL of the AD FS service for authentication. Make sure that the AD FS service URL is correct.
In the following screen shot, notice that the first URL is for the web application, and the second URL is for the AD FS service.

The screenshot for IE Developer tool

How to fix

If you are redirected to an incorrect address, you likely have incorrect AD FS federation settings in your web application. Check these settings to make sure that the AD FS federation service (SAML service provider) URL is correct.

Step 2: Check whether the AD FS Service name can be resolved to the correct IP address

How to check

On a client computer and AD FS proxy server (if you have this), use a ping or nslookup command to determine whether the AD FS service name is resolved to the correct IP address. Use the following guidelines:
  • Intranet: The name should resolve to the Internal AD FS server IP or the load balanced IP of the AD FS server (Internal).
  • External: The name should resolve to the External/Public IP of the AD FS service. In this situation, the Public DNS is used to resolve the name. If you notice that different public IPs are returned from different computers for the same AD FS service name, the recent change in the Public DNS may not yet be propagated across all public DNS servers worldwide. Such a change may require up to 24 hours to be replicated.
Important On all AD FS servers, make sure that the AD FS proxy servers can resolve the name of the AD FS service to the internal AD FS server IP or to the internal AD FS server's load-balanced IP. The best way to do this is to add an entry in the HOST file on the AD FS proxy server or to use a split DNS configuration in a perimeter network (also known as "DMZ," "demilitarized zone," and "screened subnet").

Example of the nslookup command:

Nslookup sts.contoso.com 

The screenshot for nslookup command

How to fix

Check the record for AD FS service name through the DNS server or ISP provider. Make sure that the IP address is correct.

Step 3: Check whether TCP port 443 on the AD FS server can be accessed

How to check

Use Telnet or PortQryUI to query the connectivity of port 443 on the AD FS server. Make sure that 443 port is listening.

The screenshot for Port query result

How to fix

If the AD FS server is not listening on 443 port, follow these steps:
  1. Make sure that the AD FS 2.0 Windows Service is started.
  2. Check the Windows firewall setting on the AD FS server to make sure that the TCP 433 port is allowed to make connections.
  3. If a load balancer is used ahead of the AD FS services, try to bypass the load balancing process to verify that this is not the cause of the issue. (Load balancing is a common cause.)

Step 4: Check whether you can use an IdP-initiated sign-on page to authenticate to ADFS

How to check

Start Internet Explorer, and then browse to the following web address. If you receive a certificate warning when you try to open this page, click Continue.

http://<YourADFSServiceName>/adfs/ls/idpinitiatedsignon.aspx
Note In this URL, <YourADFSServiceName> represents the actual AD FS service name.

Typically, you access a sign-in screen, and then you can sign in by using your credentials.

The screenshot of ADFS sign-on page

How to fix

If you can successfully perform Step 1 through Step 3 but you still cannot access the web application, follow these steps:
  1. Use another client computer and browser to perform the tests. There may an issue that affects the client.
  2. Perform the following advanced troubleshooting steps:
    1. Collect Fiddler Web Debugger trace and network capture information while you are accessing the IDPInitiatedsignon page. For more information, see the following Technet topic:
    2. Collect network traces from the client computer to check whether the SSL handshake completed successfully, whether there is an encrypted message, whether you are accessing the correct IP address, and so on. For more information, see the following Microsoft articles:
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
プロパティ

文書番号:3044971 - 最終更新日: 2015/05/21 - リビジョン: 1

フィードバック