Office 2013 / ADFS SharePoint online, users unable to authenticate to SharePoint online from Office applications.
The credentials work fine from IE to access SharePoint online.
Office 2010 works fine.
If the logged in Windows user does not match the ADFS user account, used to access SharePoint online, Office 2013 will work.
Office 2013 has a design change from Office 2010 concerning authentication. It now uses the ADFS Windows transport endpoint. If this endpoint is disabled end users will be prompted for credentials each time they access SharePoint online. If the Windows transport endpoint in ADFS is enabled but unreachable for some reason then Office will be unable to authenticate.
Ensure your ADFS server is configured according to:
Possible solution for this type of issue
If the above fails turn on IDCRL tracing on the client with this registry file:
Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSOIdentityCRL\Trace]"Folder"="C:\\MSOTrace""Flags"=dword:00000001"level" =dword:00000099
Reproduce the issue and open the file found at c:\msotrace
Look for "WinHttpQueryHeaders returns 401" string in the log after the first "## SOAP Request:" occurrence.
If you find this is possible that a proxy server between the client and the ADFS server is stripping out needed Windows authentication packet contents.
If you still have not found the issue look for a "## SOAP Response:" string, this should start like this:
## SOAP Response:<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"xmlns:a="ht …..continues…
If you have a non SOAP response, like the contents of an HTML page, it is possible that your proxy server is terminating the request at the proxy and sending back content of its own instead of forwarding the request to the ADFS server.
Other links of interest:
How to diagnose SSO issues, analyzer toolhttp://support.microsoft.com/kb/2650717/en-us
Office 365 and ADFS…Active Directory Federation Service Installationhttp://social.technet.microsoft.com/wiki/contents/articles/9082.office-365-adfs-active-directory-federation-service-installation.aspx
SSO authentication to Office 365 fails after you change AD FS 2.0 service endpoint settings in the AD FS 2.0 Management Consolehttp://support.microsoft.com/kb/2712957 A federated user is repeatedly prompted for credentials during sign-in to Office 365http://support.microsoft.com/kb/2461628
Overview of identity, authentication, and authorization in Office 2013http://technet.microsoft.com/en-us/library/jj683102.aspx
A federated user is repeatedly prompted for credentials during sign-in to Office 365http://support.microsoft.com/kb/2461628
Troubleshoot single sign-on setup in Office 365http://support.microsoft.com/kb/2530569
ADFS single signonChecklist: Use AD FS to implement and manage single sign-onhttp://technet.microsoft.com/en-us/library/jj205462.aspx
Geek of All Trades: Office 365 SSO: A Simplified Installation Guidehttp://technet.microsoft.com/en-us/magazine/jj631606.aspx
SSO authentication to Office 365 fails after you change AD FS 2.0 service endpoint settings in the AD FS 2.0 Management Console **ADFS END POINT LISTINGhttp://support.microsoft.com/kb/2712957
401 errors from ADFS Windows Transporthttp://support.microsoft.com/kb/2839539