Error message from AD FS 2.0 when a federated user signs in to Office 365: "There was a problem accessing the site"

When a federated user signs in to Microsoft Office 365 in a federation environment, the user receives the following error message from Active Directory Federation Services (AD FS) 2.0 when the user provides credentials:

This issue may occur if one of the following conditions is true:

• Single sign-on (SSO) access to Office 365 services was not implemented completely.
• The AD FS 2.0 token-signing certificate expired.
• The relying party trust with Windows Azure Active Directory (Windows Azure AD) is corrupted.
• The AD FS 2.0 IUSR account doesn't have the "Impersonate a client after authentication" user permission.
• If the issue only occurs when users try to gain access from clients that are connected outside the on-premises network, the AD FS 2.0 proxy server may have configuration problems.

Use one of the following resolutions, as appropriate for your situation.

Resolution 1: Troubleshoot SSO implementation

If the SSO implementation is incomplete, the relying party trust with Windows Azure AD may not yet be set up in AD FS 2.0. To resolve this issue, complete the implementation of SSO. For more information about how to do this, see the following Microsoft Knowledge Base article:

Resolution 2: Renew the token-signing certificate

To check whether the token-signing certificate is expired, follow these steps:

1. Click Start, click All Programs, click Administrative Tools, and then click AD FS 2.0 Management.
2. In the AD FS 2.0 management console, click Service, click Certificates, and then examine the Effective and Expiration dates for the AD FS 2.0 token-signing certificate.

If the certificate is expired, it has to be renewed to restore SSO authentication functionality.

To renew the token-signing certificate on the primary AD FS 2.0 server by using a self-signed certificate, follow these steps:

1. In the same AD FS 2.0 management console, click Service, click Certificates, and then, under Certifications in the Actions pane, click Add Token-Signing Certificate.
2. If a "Certificates cannot be modified while the AD FS automatic certificate rollover feature is enabled" warning appears, go to step 3. Otherwise, check the certificate Effective and Expiration dates. If the certificate is successfully renewed, you do not have to perform steps 3 and 4.
3. If the certificate is not renewed, click Start, point to All Programs, click Accessories, click the Windows PowerShell folder, right-click Windows PowerShell, and then click Run as administrator.
4. At the Windows PowerShell command prompt, enter the following commands. Press Enter after you enter each command:

   • Add-PSSnapin Microsoft.Adfs.Powershell

   • Update-ADFSCertificate -CertificateType: Token-Signing

To renew the token-signing certificate on the primary AD FS 2.0 server by using a certification authority (CA)-issued certificate, follow these steps:

1. Create the WebServerTemplate.inf file. To do this, follow these steps:
   1. Start Notepad, and open a new, blank document.
   2. Paste the following into the file:

      [Version]
      Signature=$Windows NT$
      [NewRequest]
      ;EncipherOnly=False
      Exportable=True
      KeyLength=2048
      KeySpec=1
      KeyUsage=0xa0
      MachineKeySet=True
      ProviderName="Microsoft RSA SChannel Cryptographic Provider"
      ProviderType=12
      RequestType=CMC
      subject="CN=adfs.contoso.com"
      [EnhancedKeyUsageExtension]
      OID=1.3.6.1.5.5.7.3.1
      [RequestAttributes]

   3. In the file, change subject="CN=adfs.contoso.com" to the following:
      "CN=your-federation-service-name�
   4. On the File menu, click Save As.
   5. In the Save As dialog box, click All Files (*.*) in the Save as type box.
   6. Type WebServerTemplate.inf in the File name box, and then click Save.
2. Copy the WebServerTemplate.inf file to one of your AD FS Federation servers.
3. On the AD FS server, open an Administrative Command Prompt window.
4. Use the cd (change directory) command to change to the directory where you copied the .inf file.
5. Type the following command, and then press Enter:

   CertReq.exe -New WebServerTemplate.inf AdfsSSL.req

6. Send the output file, AdfsSSL.req, to your CA for signing.
7. The CA will return a signed public key portion in either a .p7b or .cer format. Copy this file to your AD FS server where you generated the request.
8. On the AD FS server, open an Administrative Command Prompt window.
9. Use the cd (change directory) command to change to the directory where you copied the .p7b or .cer file.
10. Type the following command, and then press Enter:

    CertReq.exe -Accept "file-from-your-CA-p7b-or-cer"

Regardless of whether a self-signed or CA-signed certificate is used, complete the restoration of the SSO authentication functionality. To do this, follow these steps:

1. Add Read access to the private key for the AD FS 2.0 service account on the primary AD FS 2.0 server. To do this, follow these steps:
   1. Click Start, click Run, type mmc.exe, and then press Enter.
   2. On the File menu, click Add/Remove Snap-in.
   3. Double-click Certificates, select Computer account, and then click Next.
   4. Select Local computer, click Finish, and then click OK.
   5. Expand Certificates (Local Computer), expand Personal, and then click Certificates.
   6. Right-click the new token-signing certificate, point to All Tasks, and then click Manage Private Keys.
   7. Add Read access to the AD FS 2.0 service account, and then click OK.
   8. Exit the Certificates snap-in.
2. Update the new certificate's thumbprint and the date of the relying party trust to the Windows Azure AD authentication system. To do this, see the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:�
   2647048 How to update or to repair the configuration of the Office 365 federated domain
3. Re-create the AD FS 2.0 proxy trust configuration. To do this, follow these steps:
   1. Restart the AD FS 2.0 Windows Service on the primary AD FS 2.0 server.
   2. Wait 10 minutes for the certificate to replicate to all the members of the federation service farm, and then restart the AD FS 2.0 Windows Service on the rest of the AD FS 2.0 servers.
   3. Rerun the Proxy Configuration Wizard on each AD FS 2.0 proxy server. For more information, go to the following Microsoft TechNet website:
      Configure a Computer for the Federation Server Proxy Role

Resolution 3: Repair the corrupted relying party trust

If SSO is already implemented and was functioning correctly before the failure that is described in the "Symptoms" section, and if the token-signing certificate is not expired, the relying party trust with Windows Azure AD may be corrupted. �

To resolve this issue, see the "How to repair the configuration of the Office 365 federated domain" section of the following article in the Microsoft Knowledge Base:

Resolution 4: Update computer policy to grant the AD FS 2.0 IUSR account "Impersonate a client after authentication" user rights

To grant the "Impersonate a client after authentication" user rights to the AD FS 2.0 IUSR_ account, use the following Microsoft TechNet website:

Resolution 5: Troubleshoot AD FS 2.0 proxy issues

To troubleshoot AD FS 2.0 proxy issues, use the following Microsoft Knowledge Base article:

Video: Troubleshooting Token-Signing Certificate Issues in Office 365

uuid=7e2c32c5-1c9a-412b-8436-e973dc4b52fd VideoUrl=http://aka.ms/imbepb

Video: Office 365: Troubleshooting Single Sign-On Due to Trusting Party Issues

uuid=df2f1c60-71ae-4101-b3c6-761093b52c43 VideoUrl=http://aka.ms/tqhxeq

Still need help? Go to the Office 365 Community website.