When you try to access a web application on a website that uses Active Directory Federation Services (AD FS) 2.0, you receive the following error message:
You cannot access the following IDP-initiated sign-on page and AD FS metadata:
Step 1: Check whether the client is redirected to the correct AD FS URL
How to check
- Start Internet Explorer.
- Press F12 to open the developer tools window.
- On the Network tab, click the start button () or press Start capturing to enable network traffic capturing.
- Browse to the URL of the web application.
- Examine the network traces to see that the client is redirected to the URL of the AD FS service for authentication. Make sure that the AD FS service URL is correct.
How to fixIf you are redirected to an incorrect address, you likely have incorrect AD FS federation settings in your web application. Check these settings to make sure that the AD FS federation service (SAML service provider) URL is correct.
Step 2: Check whether the AD FS Service name can be resolved to the correct IP address
How to checkOn a client computer and AD FS proxy server (if you have this), use a ping or nslookup command to determine whether the AD FS service name is resolved to the correct IP address. Use the following guidelines:
- Intranet: The name should resolve to the Internal AD FS server IP or the load balanced IP of the AD FS server (Internal).
- External: The name should resolve to the External/Public IP of the AD FS service. In this situation, the Public DNS is used to resolve the name. If you notice that different public IPs are returned from different computers for the same AD FS service name, the recent change in the Public DNS may not yet be propagated across all public DNS servers worldwide. Such a change may require up to 24 hours to be replicated.
Example of the nslookup command:
How to fixCheck the record for AD FS service name through the DNS server or ISP provider. Make sure that the IP address is correct.
Step 3: Check whether TCP port 443 on the AD FS server can be accessed
How to checkUse Telnet or PortQryUI to query the connectivity of port 443 on the AD FS server. Make sure that 443 port is listening.
How to fixIf the AD FS server is not listening on 443 port, follow these steps:
- Make sure that the AD FS 2.0 Windows Service is started.
- Check the Windows firewall setting on the AD FS server to make sure that the TCP 433 port is allowed to make connections.
- If a load balancer is used ahead of the AD FS services, try to bypass the load balancing process to verify that this is not the cause of the issue. (Load balancing is a common cause.)
Step 4: Check whether you can use an IdP-initiated sign-on page to authenticate to ADFS
How to checkStart Internet Explorer, and then browse to the following web address. If you receive a certificate warning when you try to open this page, click Continue.
Typically, you access a sign-in screen, and then you can sign in by using your credentials.
How to fixIf you can successfully perform Step 1 through Step 3 but you still cannot access the web application, follow these steps:
- Use another client computer and browser to perform the tests. There may an issue that affects the client.
- Perform the following advanced troubleshooting steps:
- Collect Fiddler Web Debugger trace and network capture information while you are accessing the IDPInitiatedsignon page. For more information, see the following Technet topic:
- Collect network traces from the client computer to check whether the SSL handshake completed successfully, whether there is an encrypted message, whether you are accessing the correct IP address, and so on. For more information, see the following Microsoft articles:
Third-party information disclaimerThe third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Artikel-id: 3044971 – senaste granskning 21 maj 2015 – revision: 1