Windows Intune "Sorry, but we’re having trouble signing you in" error "80041317"


Make sure when updating your configuration settings of the federated domain for the on-premises Active Directory Federation Services (AD FS) service these settings are updated to the Windows Azure Active Directory (Windows Azure AD) authentication system. Last week I updated my on-premises token-signing certificate without updating federation trust data. This causes the claim that the AD FS service supplies to be malformed and therefore rejected by the Windows Azure AD authentication system.

When a federated user tries to sign in to a Microsoft cloud service such as Office 365, Windows Azure, or Windows Intune from a sign-in webpage whose URL starts with “https://login.microsoftonline.com/login,” authentication for that user fails. Additionally, the user receives the following error message:

Sorry, but we’re having trouble signing you in
Please try again in a few minutes. If this doesn’t work, you might want to contact your admin and report the following error:
80041317 or 80043431

Cause

To verify that this is the cause follow these steps on a domain-joined computer:

  1. Verify the mismatched attribute between the AD FS service and the Microsoft cloud service. To do this, follow these steps:
    1. Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
    2. At the command prompt, type the following commands. Make sure that you press Enter after you type each command:
      1. $cred = get-credential

        Note When you’re prompted, enter your cloud service admin credentials.

      2. Connect-MSOLService –credential:$cred
      3. Set-MSOLADFSContext –Computer:<AD FS x.0 Server Name>

        Note In this command, the placeholder <AD FS x.0 Server Name> represents the Windows host name of the primary AD FS server.

      4. Get-MsolFederationProperty -domainname: <Federated Domain Name>

        Note In this command, the <Federated Domain Name> placeholder represents the name of the domain that’s already federated with the cloud service for single sign-on (SSO).


      Note
      The command output is divided into the following two sections:

      • The first line of the first section reads “Source: AD FS Server” and represents the configuration that’s stored in the local AD FS service.
      • The first line of the second section reads “Source: <Microsoft cloud service>” and represents the configuration that’s stored in the identity service.

image

Solution

To update the configuration of the Office 365 federated domain on a domain-joined computer that has Windows Azure Active Directory Module for Windows PowerShell installed, follow these steps:

  1. Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
  2. At the command prompt, type the following commands, and press Enter after each command:
    1. $cred = get-credential

      Note When you’re prompted, enter your Office 365 administrator credentials.

    2. Connect-MSOLService –credential:$cred
    3. Set-MSOLADFSContext –Computer:<AD FS 2.0 ServerName>

      Note In this command, the placeholder <AD FS 2.0 Server Name> represents the Windows host name of the primary AD FS server.

    4. Update-MSOLFederatedDomain –DomainName:<Federated Domain Name>

After synchonizing the on-premises Active Directory Federation Services (AD FS) configuration to the Windows Azure Active Directory (Windows Azure AD) authentication I was able again to take benefit of Single-Sign-On.

image

Source: http://support.microsoft.com/kb/2647020/en-us

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s