Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Error message when you try to sign in to the Microsoft Online Portal as a federated user


View products that this article applies to.

Symptoms

Beta information This article discusses a beta release of Microsoft Office 365. The information about Office 365 in this article is provided as-is and is subject to change without notice.

When you try to sign in to the Microsoft Online Portal in Microsoft Office 365 as a federated user, you may receive one of the following error messages:

  • "There was a problem accessing the site. Try to browse to the site again."
  • "Your organization could not sign you in to this service"

↑ Back to the top


Cause

There are many potential causes of these errors.  The resolution is separated into the following two areas:

  • Problem exists for all users
  • Problem exists for one or some users

↑ Back to the top


Resolution

Important This section contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756  How to back up and restore the registry in Windows

Problem exists for all users

Step 1: Verify firewall settings

If you have a firewall that supports the following features, make sure that these features are disabled.

Note This step applies to Forefront Threat Management Gateway (TMG) server. However, be aware that other firewall servers may also support these features.

Step 2: Update federation settings for the federated domain
  1. Start the Microsoft Online Services Identity Federation Management tool from the desktop on the computer on which it was installed.
  2. At the Windows PowerShell prompt, type the following, and then press Enter:

    $cred=Get-Credential
  3. When you are prompted, type your Office 365 Global Administrator account.
  4. At the Windows PowerShell prompt, type the following, and then press ENTER:

    Set-MSOLContextCredential -MSOLAdminCredentials $cred
  5. Run the following Update-MSOLFederatedDomain cmdlet:

    Update-MSOLFederatedDomain �DomainName yourdomain.com

Step 3: Repair the Relying Party Trust entity
  1. Click Start, click Control Panel, point to Administrative Tools, and then click AD FS 2.0 Management.
  2. Locate Trust Relationships, select Relying Party Trusts, and then click Delete to remove the Relying Party Trust entry.
  3. Start the Microsoft Online Services Identity Federation Management tool from the desktop on the computer on which it was installed.
  4. At the Windows PowerShell prompt, type the following, and then press ENTER:  
  5. $cred=Get-Credential

  6. When you are prompted, type your online administrator account.
  7. At the Windows PowerShell prompt, type the following, and then press ENTER: 
  8. Set-MSOLContextCredential -MSOLAdminCredentials $cred

  9. Run the Add-MSOLFederatedDomain cmdlet to re-create the federation trust.
    Note If your domain is already configured as an online federated domain, you receive an error. However, this Windows PowerShell cmdlet re-creates the required AD FS entries, such as the following:
    • Relying Party Trusts = Microsoft Federation Gateway
    • Issuance Transform Rules = two rules created
  10. Run the Update-MSOLFederatedDomain cmdlet.

 

Problem exists for one or some users

Step 1: Check whether the user's proxy addresses contains non-ASCII characters

Review the user's on-premises proxy addresses for non-ASCII characters.  If non-ASCII characters are found, update the proxy address for the user to only contain ASCII characters.

For more information about ASCII characters, see the following website: http://www.asciitable.com

Step 2: Resolve a changed user principal name (UPN) or SAM Account name situation for the problem user 

After a user signs in to Office 365, the sign-in information may be cached on the AD FS server. When the user principal name (UPN) or the Security Accounts Manager (SAM) account of the user is changed, problems may occur the next time that the user tries to access Office 365 services.  There are some steps that can be taken to resolve this issue.

  1. Verify that the UPN changes are synchronized to Office 365 through directory synchronization.
  2. Have the user log off the computer and then log back on.
  3. If steps 1 and 2 do not resolve the issue, restart the AD FS server. Or, follow these steps:
    1. Open Registry Editor, and then locate the following subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    2. Right-click the LSA subkey folder, select New, and then select DWORD Value.
    3. Type LsaLookupCacheMaxSize, and then press Enter.
    4. Right-click LsaLookupCacheMaxSize, and then click Modify.
    5. In the Value data box, type 0, and then click OK.
    6. Exit Registry Editor.

Note LsaLookupCacheMaxSize can affect sign-in performance. Therefore, we recommend that you delete LsaLookupCacheMaxSize when the issue is resolved.

↑ Back to the top


Keywords: KB2210944, bposs

↑ Back to the top

Article Info
Article ID : 2210944
Revision : 28
Created on : 4/10/2011
Published on : 4/10/2011
Exists online : False
Views : 61