Latest Posts

“ADFS Authentication error” – ADFS authentication issues, often due to incorrect configurations.

Posted on by Zubair Shaik

Loading

ADFS Authentication Error – Detailed Troubleshooting Guide

Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) authentication service that allows users to log in using Microsoft 365, SharePoint, and other enterprise applications.

When users encounter an “ADFS Authentication Error,” it means that the authentication process failed due to misconfiguration, expired tokens, network issues, or incorrect credentials.

Common Causes of ADFS Authentication Errors:

Incorrect username or password (misspelled, expired, or incorrect format).
ADFS server is down or unreachable due to network issues.
SSL certificate expired or misconfigured on ADFS.
ADFS trust relationship broken between Microsoft 365 and the ADFS server.
Incorrect ADFS Federation Service URL configured.
Expired or invalid tokens causing authentication failures.
Conditional Access Policies blocking access.
Multi-Factor Authentication (MFA) issues.

Step 1: Verify User Credentials

Before troubleshooting ADFS, ensure that the user’s credentials are correct.

How to Verify Credentials:

  1. Go to https://login.microsoftonline.com.
  2. Enter your email address and password.
  3. If you are redirected to your company’s ADFS login page, enter your credentials again.
  4. If authentication fails, reset the password and try logging in again.

If the issue is not related to credentials, proceed to check ADFS configuration.

Step 2: Check ADFS Server Availability

If the ADFS server is down, users will not be able to authenticate.

How to Check If ADFS Is Online:

  1. Open a web browser and go to the ADFS metadata URL: https://<your-adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml
  2. If the page does not load, the ADFS server might be down.
  3. Use the PowerShell command below on the ADFS server to check its status: Get-AdfsProperties | Select-Object HostName, FederationServiceIdentifier
  4. Restart the ADFS service: Restart-Service adfssrv

If ADFS is down, restart the server or check with your IT team.

Step 3: Verify SSL Certificate Configuration

SSL certificate issues can prevent ADFS authentication from working correctly.

How to Check SSL Certificate Expiry:

  1. Open PowerShell and run the command: Get-AdfsSslCertificate
  2. Look for the NotAfter field to check if the certificate has expired.
  3. If the certificate has expired, install a new SSL certificate and update it in ADFS.

How to Update SSL Certificate in ADFS:

  1. Import the new certificate: Import-Certificate -FilePath "C:\Certs\NewCert.pfx" -CertStoreLocation Cert:\LocalMachine\My
  2. Set the new certificate as the ADFS service certificate: Set-AdfsSslCertificate -Thumbprint "NEW_CERT_THUMBPRINT"

Step 4: Verify ADFS Trust with Microsoft 365

If the trust relationship between ADFS and Microsoft 365 is broken, users won’t be able to log in.

How to Check Federation Trust:

  1. Open PowerShell and connect to Microsoft 365: Connect-MsolService
  2. Verify the federation settings: Get-MsolFederationProperty -DomainName yourdomain.com
  3. Check if the Federation Service Identifier matches the ADFS configuration.

How to Repair ADFS Trust with Microsoft 365:

  1. Run the following command to update the trust: Update-MsolFederatedDomain -DomainName yourdomain.com
  2. Restart ADFS and try logging in again.

Step 5: Verify ADFS Endpoints

ADFS endpoints must be enabled for authentication to work correctly.

How to Check ADFS Endpoints:

  1. Open AD FS Management Console (adfs.msc).
  2. Navigate to Service → Endpoints.
  3. Ensure the following endpoints are enabled:
    • /adfs/ls/ (Sign-in endpoint)
    • /adfs/services/trust/2005/usernamemixed (WS-Trust endpoint)
  4. If any of these are disabled, right-click and select Enable.

Step 6: Check Event Logs for Errors

ADFS errors are recorded in the Event Viewer.

How to Check ADFS Logs:

  1. Open Event Viewer (eventvwr.msc).
  2. Go to Applications and Services Logs → AD FS/Admin.
  3. Look for error messages related to authentication.
  4. Common error codes:
    • 364: ADFS authentication failed due to bad request.
    • 342: Token validation failure.
    • 102: ADFS service failed to start.

If you see errors, take appropriate action based on the error message.

Step 7: Check Network Connectivity and DNS Configuration

If ADFS is unreachable, it might be due to network or DNS issues.

How to Check Connectivity:

  1. Run a ping test from a client machine: ping <your-adfs-server>
  2. If the ping fails, check firewall settings to allow ADFS traffic.
  3. Verify DNS resolution: nslookup <your-adfs-server>
  4. If DNS does not resolve, update the ADFS CNAME or A record in your DNS settings.

Step 8: Check Conditional Access Policies

Conditional Access Policies in Azure AD may block ADFS logins.

How to Check Conditional Access Policies:

  1. Open Azure AD Admin Center: https://aad.portal.azure.com.
  2. Navigate to Security → Conditional Access.
  3. Check if any policies block legacy authentication or require MFA.
  4. If needed, exclude ADFS users from restrictive policies.

Step 9: Reset ADFS Authentication Settings

If all else fails, resetting the ADFS authentication settings may help.

How to Reset ADFS Authentication Settings:

  1. Open PowerShell as Administrator.
  2. Run the following command to reset authentication policies: Set-AdfsGlobalAuthenticationPolicy -PrimaryExtranetAuthenticationProvider @("FormsAuthentication") -PrimaryIntranetAuthenticationProvider @("WindowsAuthentication")
  3. Restart ADFS: Restart-Service adfssrv

Step 10: Contact IT Support or Microsoft Support

If the issue is not resolved, contact your IT support team or open a case with Microsoft Support.

Information to Provide IT Support:

Exact error message received
Event Log error codes (if any)
ADFS Server version
Steps you have already tried

Leave a Reply

Your email address will not be published. Required fields are marked *