Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

"Sorry, but we're having trouble signing you in" and "80045C06" error when a federated user tries to sign in to Office 365, Azure, or Intune


View products that this article applies to.

PROBLEM

When a federated user tries to sign in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune from a sign-in webpage whose URL starts with https://login.microsoftonline.com/login, authentication for that user is unsuccessful. The user gets the following error message:
Sorry, but we're having trouble signing you in

Please try again in a few minutes. If this doesn't work, you might want to contact your admin and report the following error:
80045C06

↑ Back to the top


CAUSE

This issue can occur if the time setting in the on-premises environment doesn't match the time setting of the Microsoft Azure Active Directory (Azure AD) authentication system. Where the time difference between Active Directory Federation Services (AD FS) clients or servers and the Azure AD authentication system is more than 5 minutes, logons by federated users will fail. This may occur if one or more of the following conditions are true:
  • The client computer or computers aren't syncing correctly with the on-premises Active Directory.
  • The AD FS service components aren't syncing correctly with the on-premises Active Directory.
  • The on-premises Active Directory Primary Domain Controller (PDC) emulator isn't syncing to an accurate Internet time source.
  • The token validity period for AD FS claims is too short.

↑ Back to the top


SOLUTION

To resolve this issue, use one of the following methods:

Method 1: Set up client computers and AD FS servers to use the on-premises Active Directory PDC emulator as a Network Time Protocol (NTP) time source

  1. Set up client computers and the AD FS servers to correctly sync time from the on-premises Active Directory PDC emulator. For more info about how to do this, go to Configure a client computer for automatic domain time synchronization.
  2. Make sure that IP connectivity between client computers and AD FS servers and the on-premises Active Directory PDC emulator is available on UDP port 123.

Method 2: Set up the on-premises Active Directory PDC emulator to use a reliable Internet-based NTP time source

  1. Set up the on-premises Active Directory PDC emulator to sync time from a trusted Internet NTP source. For more info about how to do this, go to Configuring a time source for the forest.
  2. Make sure that IP connectivity between the Active Directory PDC Emulator and the Internet time source is available on UDP port 123.

Method 3: Update the token validity period

The token validity period for AD FS should not be less than five minutes. To change the token validity period, go to Claims-based authentication and security token expiration.

↑ Back to the top


MORE INFORMATION

For more information about how to identify the PDC emulator, go to Identify the PDC emulator.

For more information about the Windows Time service, go to Windows Time Service Technical Reference.

↑ Back to the top


Keywords: kbcrossrefol, mop, tsg, azuread, vkbportal343, vkbportal339, o365m, uacrossref, yespartner, o15, o365022013, idfed, o365e, kb, mosdal4.5, o365a, o365, vkbportal237, vkbportal231, adfs

↑ Back to the top

Article Info
Article ID : 2578667
Revision : 1
Created on : 1/7/2017
Published on : 12/16/2016
Exists online : False
Views : 662