|Applies To||RSA Product Set: RSA SecurID Access|
RSA Product/Service Type: Cloud
|Issue||When trying to authenticate on O365, it works for some users and fails for others intermittently. The error that is shown below displays after an authentication on O365:|
Sorry but we're having trouble signing you in.
ADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.
The authentication on the activity monitor shows that the user was successfully authenticated. Following the successful authentication, there is an entry for the user logout. There is then another authentication request sent, which receives a response that the user is already authenticated.
|Cause||This error message is the result of a loss of session persistence to the IDR when a load balancer is configured and multiple IDRs behind it without having the option of session persistence configured on the load balancer.|
This error message also appears if you have configured multiple IDRs with the same portal hostname. This causes the load balancer to open a session with the wrong IDR during the authentication process.
|Resolution||To resolve this issue:|