Sign in to Office 365, Azure, or Intune fails after you change the federation service endpoint
After you change Active Directory Federation Services (AD FS) service endpoint settings in the AD FS Management Console, single sign-on (SSO) authentication to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune fails, and you experience one of the following symptoms:
- Federated users can't sign-in to Office 365, Azure, or Intune by using rich client applications.
- Browser applications repeatedly prompt users for credentials when they try to authenticate to AD FS during SSO authentication.
This issue may occur if one of the following conditions is true:
- The AD FS service endpoints are inappropriately configured.
- Kerberos authentication on the AD FS server is broken.
To resolve this issue, use one of the following methods, as appropriate for your situation.
Resolution 1: Restore the default AD FS service endpoint configuration
To restore AD FS default service endpoint settings, follow these steps on the primary AD FS server:
Open the AD FS Management Console, and in the left navigation pane, browse to AD FS, then Service, and then Endpoints.
Examine the endpoints list, and make sure that the entries in this list are enabled as indicated (at a minimum):
URL Path Enabled Proxy enabled /adfs/ls/ Yes Yes /adfs/services/trust/2005/windowstransport/ Yes No /adfs/services/trust/2005/certificatemixed Yes Yes /adfs/services/trust/2005/certificatetransport Yes Yes /adfs/services/trust/2005/usernamemixed Yes Yes /adfs/services/trust/2005/kerberosmixed Yes No /adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256 Yes Yes /adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256 Yes Yes /adfs/services/trust/13/kerberosmixed Yes No /adfs/services/trust/13/certificatemixed Yes Yes /adfs/services/trust/13/usernamemixed Yes Yes /adfs/services/trust/13/ issuedtokenmixedasymmetricbasic256 Yes Yes /adfs/services/trust/13/ issuedtokenmixedsymmetricbasic256 Yes Yes /adfs/services/trsuttcp/windows Yes No /adfs/services/trust/mex Yes Yes /FederationMetadata/2007-06/FederationMetadata.xml Yes Yes /adfs/ls/federationserverservice.asmx Yes No
If an item in the list doesn't match the default settings in the previous table, right-click the entry, and then select Enable or Enable on Proxy as necessary.
WS-Trust Windows endpoints (/adfs/services/trust/2005/windowstransport and/adfs/services/trust/13/windowstransport) are meant only to be intranet facing endpoints that use WIA binding on HTTPS.
These endpoints should always be kept disabled on the proxy (i.e. disabled from extranet) to protect AD account lockouts.
Resolution 2: Troubleshoot Kerberos authentication issues
For more info about how to troubleshoot Kerberos authentication issues, see the following Microsoft Knowledge Base article:
2461628 A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Intune