Forum Discussion
AADSTS20001: The sign-in response message does not contain an issued token.
Hi All,
I am currently upgrade the ADFS server which is on windows server 2008.
I followed this article https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/migrate-ad-fs-fed-server-r2
So I got one ADFS on windows server 2008 and one on windows server 2012, I migrated the configuration with the powershell cmd
export-federationconfiguration.ps1
import-federationconfiguration.ps1
everything went OK but I could not even log in https://login.microsoftonline.com/, eventually the error said: fs.mydomain.com took too long.
so I decided to migrate manually, reinstalled the Federation Service, and added one by one from the 2008 ADFS such as Endpoints, Claim Descriptions, Claims Provider Trusts, Relying Party etc...
I could open the page https://fs.mydomain.com and enter my username and password, that is where I got the error message described above.
I also checked the Diagnotics Analyzer online https://adfshelp.microsoft.com/ the result seems to be fine.
Would anyone help me that would be much appreciated.
Regards
3 Replies
Hi Dzung Vu,
The error AADSTS20001, indicating that the sign-in response message lacks an issued token, is often linked to AD FS (SSO) configuration. You can use these steps for troubleshooting:
1. Check SSO Configuration: Test SSO with a colleague under the same domain to isolate account configuration issues¹.
2. Perform Office 365 SSO Test: Use Microsoft Remote Connectivity Analyzer for an Office 365 SSO test.
3. Verify AD FS Configuration: Look for misconfigurations preventing proper token issuance.
4. Review Application Registration: Register the application on either Azure AD or ADFS, not both.
5. Inspect Configured Rules: Errors in rules can lead to failed logins without token inclusion.
Useful links for more info:
(1) [Microsoft Community](https://answers.microsoft.com/en-us/msoffice/forum/all/sign-in-error-aadsts20001-signin-response-message/a3a3b782-efec-46bd-97aa-fbb042f60f7d)
(2) [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/)
(3) [Microsoft Learn](https://learn.microsoft.com/en-us/answers/questions/15141/ad-fs-saml-sign-on-with-azure-ad-enterprise-app-aa)- Hi LeonPavesic,
Thank you for the help and links.
1. Check SSO config: I did check different user, it is the same error.
2. I cannot seem to find the Office 365 SSO test from this link https://testconnectivity.microsoft.com/tests/o365
3. Verify ADFS Config: I have been trying to match all configurations between 2 servers (server 2008 ADFS 2.0 and server 2012 ADFS 3.0) as I mentioned I did test on ADFS help online https://adfshelp.microsoft.com/ I passed everything
4. Would you please give me more detail on the application registration.
5. I cannot seem to find any errors in the configured rules.
Kind Regards- Hi All,
Never mind, I decided not to upgrade, instead I'll migrate from federation to Cloud authentication.
Kind Regards
