Troubleshoot Azure Active Directory Seamless Single Sign-On
While enabling Azure AD Seamless Single Sign-On (SSO), any of the below issues may occur:
- Enabling Seamless SSO takes a significant amount of time.
- If Seamless SSO is disabled and re-enabled on the tenant, users will not experience SS until their cached Kerberos tickets expire.
- With Seamless SSO is successful, the users do not have the opportunity to select Keep me signed in. Due to this behavior, SharePoint and OneDrive mapping scenarios don't work.
- Seamless SSO is non-functional in Mozilla Firefox's Private Browsing mode.
- Seamless SSO is non-functional in Internet Explorer when the Enhanced Protected mode is enabled.
- Seamless SSO is non-functional on mobile browsers on iOS and Android devices.
- If a user is part of a large number of in Active Directory (AD) groups, the user's Kerberos ticket may be too large to process, and Seamless SSO may fail. Azure AD HTTPS requests can have headers with a maximum size of 50 KB; Kerberos tickets need to be smaller than that limit.The solution is to reduce the user's group memberships and try again.
- When synchronizing 30 or more AD forests, Seamless SSO can be enabled through Azure AD Connect. The feature can also be manually enabled on the tenant.
- Adding the Azure AD service URL (https://autologon.microsoftazuread-sso.com) to the Trusted sites zone instead of the Local intranet zone may prevent users from signing in.
Troubleshooting checklist
Use the following checklist to troubleshoot Seamless SSO problems:
- Ensure that the Seamless SSO feature is enabled in Azure AD Connect. If you cannot enable the feature (for example, due to a blocked port), ensure that you have all the prerequisites in place.
- If you have enabled both Azure AD Join and Seamless SSO on the tenant, ensure that the issue is not with Azure AD Join. SSO from Azure AD Join takes precedence over Seamless SSO if the device is both registered with Azure AD and domain-joined. With SSO from Azure AD Join the user sees a sign-in tile that says "Connected to Windows".
- Ensure that the Azure AD URL (https://autologon.microsoftazuread-sso.com) is part of the user's Intranet zone settings.
- Ensure that the corporate device is joined to the AD domain. The device doesn't need to be Azure AD Joined for Seamless SSO to work.
- Ensure that the user is logged on to the device through an AD domain account.
- Ensure that the user's account is from an AD forest where Seamless SSO has been enabled.
- Ensure that the device is connected to the corporate network.
- Ensure that the device's time is synchronized with the time in both AD and the domain controllers and that deviation within five minutes.
- Ensure that the AZUREADSSOACC computer account is present and enabled in each AD forest that you want Seamless SSO enabled. If the computer account has been deleted or is missing, you can use PowerShell cmdlets to re-create them.
- List the existing Kerberos tickets on the device by using the klist command from a command prompt. Ensure that the tickets issued for the AZUREADSSOACC computer account are present. Users' Kerberos tickets are typically valid for 10 hours. You might have different settings in AD.
- If Seamless SSO has been disabled and re-enabled on the tenant, users will not get the SSO experience till their cached Kerberos tickets have expired.
- Purge existing Kerberos tickets from the device by using the klist purge command, and try again.
- To determine if there are JavaScript-related problems, review the console logs of the browser (under Developer Tools).
- Review the domain controller logs.
Setting up Azure AD Connect Seamless SSO is a complex process. Its configuration and troubleshooting involve multiple steps and commands. ADSelfService Plus, an Active Directory self-service password management and SSO solution, offers the SSO feature that allows users to log into the AD domain and access Azure AD/Office 365 without providing their credentials again. Enabling this feature involves minimal steps. Check out this guide to know more.
Benefits of SSO using ADSelfService Plus:
- SSO to major enterprise applications including Azure AD/Office 365, G Suite, and Salesforce.
- Choose OU's and groups whose users get to access Azure AD/Office 365 using SSO.
- Protect SSO-enabled enterprise applications with multi-factor authentication.
Simplify password management with ADSelfService Plus.
Self-service password management and single sign-on solution
ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.
- Related Products