Identity Management, Troubleshooting and Solutions for using Urbana Single Sign-On Pages

This article is for Help Desks and IT Pros, to assist campus users with using the AzureAD single sign-on page protecting Microsoft365 and Shibboleth applications.

Urbana users logging into Microsoft365 (Outlook, Word, Excel, etc.) or Shibboleth (Canvas, Box, Zoom, Moodle, etc.) applications will now authenticate with their full login address (most likely their University email address, netid@illinois.edu)

An overview of the Urbana Single Sign-On pages can be found here (Identity Management, Urbana Single Sign-On Pages) and an overview of the Duo Universal Prompt can be found here (2FA, Duo Universal Prompt Overview).

Possible Issues:

Error message: Message: AADSTS50107: The requested federation realm object 'http://illinois.edu/adfs/services/trust/' does not exist.

Ensure that you're not using an old bookmark. The email login URL is https://outlook.office.com.
If you're using a fresh URL and still encountering the above error, try clearing cache and cookies for your browser using the instructions here: Browsers, Clearing Cache and Cookies

Incorrect login address

AzureAD - the technology behind our new sign-in pages - uses the UserPrincipalName attribute as the login address. For most people, this will be their email address.

NOTE for IT Pros:

Some non-person accounts (also known as resource or service accounts) have a UserPrincipalName with the @ad.uillinois.edu domain.
Accounts must be synced to AzureAD in order to be used for authentication. Newly created objects may take an hour or so to be synced up to the cloud. Existing service accounts need to have the O365 attribute and proper UPN to be set or be mail enabled. More information here: Azure Active Directory - How Do I Provision an Account or Group to AzureAD?
IT Pros can verify an account's UserPrincipalName with the following PowerShell command (make sure the Active Directory module is installed): Get-ADUser $accountname | select UserPrincipalName

If a user attempts to log in with just their NetID or with an incorrect login address, their login attempt will fail. Depending on what they type in, they may experience one of the following:

An error message stating "This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin."
An error message stating "We couldn't find an account with that username. Try another, or get a new Microsoft account."

'Forgot Password' Link

The AzureAD login page features some customization specific to our campus, however currently the 'Forgot Password' link directs to a Microsoft Self-Service Password Reset (SSPR) page, instead of to our NetID Center. Users who attempt to reset their password through the Microsoft SSPR page will not be successful. This is the same for the 'reset it now' link if users enter an incorrect password.

Instead, if users are having issues with their password, they can click on the 'Change your password' link, in the 'Troubles logging in?' section.

See the below screenshot depicting where users should click:

Screenshot indicating users should click on change your password if having issues logging in

Duo Prompt Message: "No access to server. The page cannot load without access to your server"

This issue can occur if your Windows operating system is out of date. Resolution would be to update the impacted machine to Windows patch 1909 or greater.

Additional information can be found here.

Duo error message cannot access server

Potential Browser Issues

The AzureAD login page has been thoroughly tested for compatibility, but it is still possible that issues will be encountered:

JavaScript is required for AzureAD sign-on pages (and is typically enabled by default in a browser). If a user receives a message related to JavaScript being disabled or blocked, please have them check browser settings or attempt logging in via a different browser.
The AzureAD login page is located at login.microsoftonline.com and the Duo Universal Prompt is located at duosecurity.com. Please make sure these domains are whitelisted if needed.
In addition, the interest of user and system security, a minimum browser version is enforced for logins. The minimum supported versions for the browsers listed have all been released for at least four years.
Minimum browser versions that support the 'SameSite' cookie attribute:
- Chrome version 61
- Edge version 16
- Firefox version 60
- Safari version 12
- Users may see a Shibboleth stale request window like the one below if using an old unsupported browser:

If standard troubleshooting steps have been followed and a user is still experiencing a browser based login issue, please note what has been tried so far and send a ticket to the Help Desk.