PREVIEW

AD FS Help Connect Health and Azure sign-ins data for AD FS

Connect Health and Azure sign-ins data for AD FS

Below is a list of all Connect Health error codes that are relevant to AD FS. Learn more about Connect Health for AD FS >

Error codes
Error code Error number Description Remediation information
TokenIssuanceError 50000 The user was not able to sign in because of issuance authorization errors. Check the Issuance Authorization rules and check if it has "Permit All". If not, go through the custom authorization rules to check if the condition in that rule will evaluate true for the affected user. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
CertificateValidationFailed 50017 The user was not able to sign in because certificate based authentication failed. Troubleshoot certificate based authentication here. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
UserDisabled 50057 The user was not able to sign in because the user's account is disabled. Verify if account has been locked out in Active Directory and re-enable the user if necessary. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
InvalidUserNameOrPassword 50126 The user was not able to sign in because the user did not enter the right credentials. Check if the affected user's password is incorrect, newly changed, or expired. If these do not apply, check service account permissions and AD trust. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
InvalidPasswordExpiredOnPremPassword 50144 The user was not able to sign in because the user's password is expired. The user should change their password at the next attempted log in.
DeviceAuthenticationFailed 50155 The user was not able to sign in because device authentication failed. Verify that the device is synced from cloud to on-prem or is not disabled. Sync cycles may be delayed since it syncs the Key after the object is synced.
UnspecifiedError 90000 Catch call for any other error conditions. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
AuthorityCertificateResolveError 300010 The user was not able to sign in because AD FS rejected the token from a 3rd party IDP. Verify the correct configuration of the signing certificate and encyrption certificate on AD FS and the Claims Provider Trust. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
MfaTokenValidationFailure 300020 The use was not able to sign in because to a problem during token validation at the MFA layer. For additional details, check the AD FS logs with the correlation ID and Server Name from the sign-in.
AccountExtranetLockedOut 300030 The user was not able to sign in because the user was locked out from the extranet. Troubleshoot extranet lockout settings and multiple user lockouts here. Reset the user lockout with Reset-ADFSAccountLockout Powershell commandlet. For additional information on ESL, view this document.