Identity Management, Troubleshooting and Solutions for using Urbana Single Sign-On Pages

This article is for Help Desks and IT Pros, to assist campus users with using the AzureAD single sign-on page protecting Microsoft365 and Shibboleth applications.

Urbana users logging into Microsoft365 (Outlook, Word, Excel, etc.) or Shibboleth (Canvas, Box, Zoom, Moodle, etc.) applications will now authenticate with their full login address. Most likely, this is their University email address, netid@illinois.edu.

An overview of the Urbana Single Sign-On pages can be found here (Identity Management, Urbana Single Sign-On Pages) and an overview of the Duo Universal Prompt can be found here (Multi-Factor Authentication (MFA), Introduction).

"AADSTS50107: The requested federation realm object 'http://illinois.edu/adfs/services/trust/' does not exist"

This usually means that Outlook is being accessed through an old bookmark that's no longer pointing to the correct URL. The email login URL will always be up-to-date here: https://go.illinois.edu/owa. If using this URL still doesn't work, try clearing your browser's cache and cookies. Browsers, Clearing Cache and Cookies.

"We couldn't find an account with that username" and similar errors

There are several variations of this error:

  • We couldn't find an account with that username. Try another, or get a new Microsoft account. This can be resolved by double checking the spelling of your username, as well as making sure the domain is included. Microsoft login pages MUST use a domain (such as @illinois.edu) to work! Most accounts will be formatted as NetID@illinois.edu. System office employees will use NetID@uillinois.edu instead.
  • We couldn't find an account with that username. Identical to the first error, though this error will only occur on University-branded Microsoft login pages. The same fix should apply; make sure the email is formatted as NetID@illinois.edu (or @uillinois.edu for system office employees).
  • This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin. This error usually occurs the wrong domain is used on the login email. For instance, if an account can be logged into using ExampleEmail@ad.uillinois.edu, this error may occur if you try to log in using ExampleEmail@illinois.edu instead.

NOTE for IT Pros:

AzureAD - the technology behind our new sign-in pages - uses the UserPrincipalName attribute as the login address. For most people, this will be their email address.

  • Some non-person accounts (also known as resource or service accounts) have a UserPrincipalName with the @ad.uillinois.edu domain.
  • Accounts must be synced to AzureAD in order to be used for authentication. Newly created objects may take an hour or so to be synced up to the cloud. Existing service accounts need to have the O365 attribute and proper UPN to be set or be mail enabled. More information here: Azure Active Directory - How Do I Provision an Account or Group to AzureAD?
  • IT Pros can verify an account's UserPrincipalName with the following PowerShell command (make sure the Active Directory module is installed): Get-ADUser $accountname | select UserPrincipalName

"Sign-in is blocked, you've tried to sign in too many times with an incorrect account or password"

When logging into a Microsoft login page, if only a NetID is entered, it should say that the account doesn't exist. However, for some users, it will accept the NetID and proceed as if nothing is wrong. No matter what password is entered in this state, users will be met with an error, stating:

  • Sign-in is blocked. You've tried to sign in too many times with an incorrect account or password. Sign-in with [NetID] is blocked for one of these reasons: Someone entered the wrong password too many times. If you signed up for this account through an organization, you might not be able to use it yet.

Microsoft sign-in blocked error

To resolve this issue, simply go back to the login page and type in the full email address, rather than just a NetID.

"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials"

When logging into a Microsoft login page, if only a NetID is entered, most of the time, it will say that the account doesn't exist. However, for some users, it will take the NetID and proceed as if nothing is wrong. The login page will then sometimes ask if it's a work/school account, or a personal account. If work/school account is selected, this error will show up:

  • Sorry, but we're having trouble signing you in. AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.

Microsoft sign-in blocked error

To resolve this issue, simply go back to the login page and type in the full email address, rather than just a NetID.

Duo Mobile Error Message: "No access to server. The page cannot load without access to your server"

This issue usually occurs if your Windows operating system is out of date. To fix this, make sure your version of Windows is patch 1909 or higher. Additional information can be found here.

Duo Mobile error message that reads: No access to server. The page cannot load without access to your server.

Potential Browser Issues

The AzureAD login page has been thoroughly tested for compatibility, but it is still possible that issues will be encountered:

  • JavaScript is required for AzureAD sign-on pages (and is typically enabled by default in a browser). If a user receives a message related to JavaScript being disabled or blocked, please have them check browser settings or attempt logging in via a different browser.
  • Adblockers may, under some circumstances, interfere with the function of login pages. Make sure the domains login.microsoft.com and duosecurity.com are whitelisted if login issues are present.
  • In the interest of user and system security, a minimum browser version is enforced for logins. The minimum supported versions for the browsers listed have all been released for at least four years. Minimum browser versions that support the 'SameSite' cookie attribute:
    • Chrome: Version 51
    • Microsoft Edge: Version 16
    • Mozilla Firefox: Version 60
    • Safari: Version 14.1
    • Opera: Version 39

    If using an unsupported browser, users may be met with this error message:

    Shibboleth stale request window

    If standard troubleshooting steps have been followed and a user is still experiencing a browser-based login issue, please note what has been tried so far and send a ticket to the Help Desk.



Keywordsshibboleth azure ad azuread sso single sign on sign-on login page shib error troubleshooting issues AADSTS50107 AADSTS90019 realm federation object does not exist sign in blocked too many times incorrect account or password email locked outlook microsoft tenant identifying   Doc ID120537
OwnerID M.GroupUniversity of Illinois Technology Services
Created2022-08-11 22:33:02Updated2023-07-21 12:53:48
SitesUniversity of Illinois System, University of Illinois Technology Services
Feedback  0   0