none
Unable to open https://login.microsoftonline.com RRS feed

  • Question

  • Hi.

    I'm currently having trouble opening https://login.microsoftonline.com on a Windows Server 2016 running IE11.1198.14393.0 (Update version: 11.0.42, KB4018271). It displays a limited page with the text "It looks like you're on a slow connection. We've disabled some images to speed things up."

    Some troubleshooting reveals that IE is unable to load a script:

    SCRIPT5022: Failed to load external resource ['https://secure.aadcdn.microsoftonline-p.com/ests/2.1.5975.9/content/cdnbundles/jquery.1.11.min.js']

    If I try to open this URL/script directly I only get a "This page can’t be displayed" and the developers console shows that dnserror.-htm has been loaded.
    I've also tried opening the file using http (not https) which also works. Upon finding that out I tried enabling/disabling different SSL/TLS options. When disabling SSL3.0 and TLS1.0 I get a different response, "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings"

    All updates have been applied on Windows. I've tried resetting IE both clearing history, cookies, temp files and using the reset button under the Advanced tab. I have also re-installed IE using this command:
    dism /online /disable-feature:"Internet-Explorer-Optional-amd64"

    Everything works in Chrome by the way. The reason why I don't just stick to Chrome is that I use this server as an admin point and run powershell scripts that are using both my domain admin, and Office365/ExchangeOnline credentials.

    Wednesday, May 31, 2017 10:48 AM

All replies

  • Hi,

    Server versions of windows / IE use an enhanced IE security settings. Tools>Internet Options>Security tab, click "Reset all zones to default", then select the Trusted Sites Icon, "Sites" button... you may already have https://www.microsoft.com In your list.

    1. Replace https://www.microsoft.com with *.Microsoft.com

    2. Add *.live.com and *.microsoftonline.com and *.microsoftonline-p.com .

    3. (optional) uncheck the option to "Require server verification (https) for all sites in this zone.

    Save changes.

    To enable troubleshooting blocked content and security warnings in IE go Tools>Internet Options>Advanced tab, check "Always record developer console messages". Save changes....

    If content is missing from a page you navigate to, press f12 to display the IE dev tool... warnings and errors for blocked content and security and xss warnings will now be listed in the dev tools' Console tab.

    ... are you sure you want to use another web browser on a server version of windows?

    Regards.


    Rob^_^


    Thursday, June 1, 2017 4:05 AM
  • Hi.

    First of all, thanks for the reply!

    I performed the steps in your post. This is the output from the Console: (It's not on the compatibility list in IE..?)

    DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
    login.microsoftonline.com
    HTML1300: Navigation occurred.
    login.microsoftonline.com
    HTML1200: microsoftonline.com is on the Internet Explorer Compatibility View List ('C:\Users\joabirsys\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml').
    login.microsoftonline.com
    SCRIPT5022: Failed to load external resource ['https://secure.aadcdn.microsoftonline-p.com/ests/2.1.6018.18/content/cdnbundles/jquery.1.11.min.js']
    login.microsoftonline.com (23,3725)
    SCRIPT5022: Failed to load external resource ['https://secure.aadcdn.microsoftonline-p.com/ests/2.1.6018.18/content/cdnbundles/aad.login.min.js']
    login.microsoftonline.com (23,3725)
    SCRIPT5022: Failed to load external resource ['https://secure.aadcdn.microsoftonline-p.com/ests/2.1.6018.18/content/cdnbundles/login.min.css']
    login.microsoftonline.com (23,3725)

    This is what the page looks like:

    

    We are using this more as a workstation than anything else. We don't have any services running from it, only management tools, hence the use of third-party browsers.

    From my troubleshooting it must have something to do with the encryption settings related to secure.aadcdn.microsoftonline-p.com. Since I can reach the script using http and I get TLS setting error when I disable TLS1.0 I think I have confirmed that IE can reach the server, I just don't get why it's not loading the script. It works on other servers and on our normal clients.

    Regards
    Joakim


    • Edited by JBir Thursday, June 1, 2017 6:18 AM Additional info
    Thursday, June 1, 2017 6:17 AM
  • Hi, I have no problems, but the jquery version is different, indicating that your xml compatibility list is different.

    In an IE tab, type

    about:compat

    and filter for "microsoftonline" (no quotes)

    I expect that your listing will be different to mine.

    login.microsoftonline.com Compatibility List 11 1 attribute false
    login.microsoftonline.com Compatibility List 11
    • Override X-UA-Compatible Meta tag: false
    false
    microsoftonline.com Compatibility List 7 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)

    -----------------------------------------------------------------------------------------------------------

    using Windows Explorer open the folder %userprofile%\AppData\Local\Microsoft\Internet Explorer\IECompatData\

    and find the timestamp of iecompatdata.xml - it should be dated the last time that you started IE.

    If it has a stale timestamp, then something in your servers' configuration is preventing it from being updated..... or possibly you are running Enterprise Site Mode Lists that is over-riding the iecompatdata.xml settings... that will be evident in the output from your about:compat tool..

    you could try Tools>Compatibility view list settings>uncheck "Include updated website lists from Microsoft".

    Regards.


    Rob^_^

    Thursday, June 1, 2017 11:10 PM
  • Hi.

    Interesting!

    The iecompatdata.xml is 274kb but when I go to about:compat it's completely empty.

    I have restarted the browser, unticked the Microsoft Compatibility lists and restarted it again. The timestamp on the file stays the same, but it's at 2017-05-31 so it's not very old.

    The line "HTML1200: microsoftonline.com is on the Internet Explorer Compatibility View List ('C:\Users\joabirsys\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml')." disappears when Microsoft Compatibility lists is unticked.

    The end result is the same though. 

    Friday, June 2, 2017 1:34 PM
  • Hi,

    about:compat (there are check boxes on the rhs to filter the list by source... screen shot below)

    Do you have all of the options as I do? viz: Enterprise site lists (local) and Enterprise site lists... Do you use the machine to maintain your Enterprise site lists? (you will have entries in the local Enterprise site list that are not also in the Enterprise site list....

    but,

    since your iecompatdata file is current an out of date list is not the problem. (unless you have entries in your enterprise lists)

    Q. Does the issue go away if you use InPrivate or NoAddons mode IE? (Start>run>iexplore.exe -extoff [url]

    Q. Do you have the same issues on a windows client?

    (its easy to set up a remote desktop connection to your server, or you could use a VM on your desktop for 'experiments'... honestly windows server has enhanced security for a reason... using it for casual surfing or email attachments opens the weakest link attack vector (the nut that holds the keyboard))

    another guess from me... possibly you have turned off native XMLHTTP support.... Tools>Internet Options>Advanced tab, security section enable "Native XMLHTTP support". Save changes.


    Rob^_^

    Friday, June 2, 2017 8:42 PM
  • other..... which software have you recently installed/uninstalled.... I recreated the issue when I uninstalled a cloud anti-virus product, to fix the issue reboot the machine for the full uninstall changes to take affect.

    Regards.


    Rob^_^

    Sunday, June 4, 2017 2:24 AM
  • Hi.

    I have been occupied lately and not had time to look at this and reply.

    Yes, I have the checkboxes on the right. All are checked.
    No difference with InPrivate or running without extensions.
    Other computers work properly, it's just this one I have issues on.

    I'm not sure, but I did actually upgrade a few powershell tools (Sharepoint Online and perhaps a few more) now that you mention it.

    I'll try to uninstall/reinstall them and see what happens.

    Thank you very much for your time and patience! :)

    Thursday, June 8, 2017 2:12 PM
  • Ok, I tried uninstalling the powershell modules I suspected but it made no difference, I reset IE to default again and restarted and still no difference. Lastly I tried to reinstall the modules again but still no difference.

    Thursday, June 8, 2017 2:40 PM
  • Hi JB,

    by design, (with the default IE settings, no domains mapped to the trusted sites list, letting internet web sites like microsoftonline.com map to the IE internet zone) microsoftonline.com should 'just work'....

    As mentioned server versions of windows run IE in an Enhanced security mode (the IE security zone settings and Advanced tab settings are elevated to a higher level).... servers are meant to be secured from the internet to prevent infections propagating to other nodes on your company network. Sites that accept internet connections from the public like microsoftonline.com are designed to be usable on windows clients with IE's default security zone and Advanced tab settings... 

    As a workaround, and without compromising the servers integrity, you could mount a client version of windows as a VM on your server.... I highly recommend that you do not alter the default IE security zone settings on the server version of IE...

    As this is only occurring on your server version of windows and IE... is suggestive that the easiest fix is "Don't do that" (joke: patient: Doctor, my arm hurts when I lift it above my head. doctor: Don't do that!)

    try

    1. User credential validation should be handled automatically by the web site..... navigate to https://microsoftonline.com not https://login.microsoftonline.com...

    Q: how are you navigating to microsoftonline.com? clicking a favorite .url file? clicking a pinned sites menu option (.website file)? clicking a desktop .lnk (link) file?

    you may like to test for host file redirects by opening a command prompt and comparing the tracert to https://microsoftonline.com and https://login.microsoftonline.com

    Confirm that microsoftonline.com is indeed mapped to the Internet Zone... File>Properties menu in IE will tell you the mapped zone for the current web page domain.

    <aside> As I see it, somehow  microsoftonline is serving up the wrong versions of jquery... from my research the "SCRIPT5022: Failed to load external resource" errors could be caused by Native XMLHTTP support being turned off (Advanced tab of Internet Options) and/or the Office/Legacy XMLHTTP ActiveX control is also disabled... check that they have not disabled the control or that they are not using IE's ActiveX filtering for that domain...

    a> Internet Options>Advanced tab, check "Enable Native XMLHTTP support"

    b> Tools>Manage Addons>Show All Addons>Microsoft software section... locate the Microsoft XML DOM document activeX control in the list and double click it to show its properties sheet.

    Make sure it is enabled and that it is allowed to run on all web sites (normally, when Native support for XMLHTTP is enabled this activeX control is never invoked, you would usually only allow this control to run on legacy intranet sites that are using IE8 or lower emulation modes)...

    Lastly, this is a wild guess... I noticed from your screenshot that the site is displayed in German.... where is the server located? (Germany, Austria, Belgium?). Are you expecting the content-language to be German. It could be that your profile at microsoftonline.com is using the wrong location and language settings. Logon using a windows client machine and confirm the settings for location and language. Naturally server versions of IE to not expose any geo-data by default.

    The bottom line is that server versions of IE are not designed for use with internet sites... you should put a windows client machine running a pro or enterprise version of windows on your desktop and access your server with remote desktop... lock it up in a cupboard and remove the screen and keyboard.... the weakest security link is physical access by a loose keyboard nut . What could happen if your office was compromised out of hours?

    Regards.


    Rob^_^

    Thursday, June 8, 2017 9:32 PM
  • Hi.

    First I'd like to clarify some things about the environment. This server is a VM that we use for admin purposes (ADUC, Exchange management etc.) where we normally use privileged accounts. We don't use this server for any kind of browsing except for Office365 admin. It is shared by our IT-personnel, no others. We use this model to not log on to our desktops with admin-accounts.

    The reason I need IE to work is simply to be able to connect powershell to MS Online services.

    Our desktops and laptops runs Windows 10 enterprise editions, and we use regular user accounts to log on to them.

    After my last session I do have a list of trusted sites:

    I don't use any shortcuts. I type either portal.office.com or login.microsoftonline.com in the address bar.

    could not do this: "navigate to https://microsoftonline.com not https://login.microsoftonline.com..."
    This page can’t be displayed

    The language is actually Swedish, which is correct for me :)

    I hope I managed to answer all questions.
    • Edited by JBir Friday, June 9, 2017 2:39 PM
    Friday, June 9, 2017 2:39 PM
  • Hi,

    your screen shot shows that your chrome browser has set itself as your default web browser.

    Type: Chrome HTML Document

    <sic>Are you sure you want to run other browsers on server versions of windows?</sic>

    open a blank page in IE11.... f12>Console tab, type navigator.userAgent in the console... post back with the results.... (your IE userAgent string).... does it have duplicate MSIE tokens?

    mmm... your missing updates on your vm... you need to run windows updates....is your license still current?


    Rob^_^


    Sunday, June 11, 2017 6:28 AM
  • Hi.

    The user agent is: "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko"
    (Same as on my Win10 laptop)

    I tried setting the default browser back to IE, but it didn't change anything.

    I also tried removing the microsoftonline.com-sites from trusted sites, just to reflect your settings (Internet zone), that didn't change anything either.

    And yes, I'm sure I want to run Chrome on this VM. Think of it more as a workstation rather than a server. We use RSAT and other admin tools, we don't run any services or other normal server tasks.

    Monday, June 12, 2017 6:37 AM
  • Hi,

    Your IE userAgent is fine, that rules out one of my guesses...

    Server use.... OK.... understood... the point is IE on server versions of windows runs IE in an Elevated Security Level.... The machine certificates are different. Accessing microsoftonline.com from a windows client you have no problems. I would suggest that you use a windows client to access microsoftonline.com... You can use powershell from an elevated command prompt just as well. If you are trying to automate a task on msonline, I would guess that the site has been crafted to prevent that. The landing page is https://microsoftonline.com not https://login.microsoftonline.com... since you cannot access https://microsoftonline.com from the server I would guess that is the real cause.. You could make further tests using a production server with IE instead of a VM.

    Your properties dialog shows that you have successfully set IE back to the default web browser... (the big issue with Chrome's hijacking is that it also changes file associations in the registry, making itself the default handler for a host of file types. To prevent it re-occurring you should install a portable version of Chrome. See chrome://settings uncheck the option to "always check if Chrome is the default." otherwise it will reset itself each and every time you start it.

    Regards.

    Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions.


    Rob^_^

    Monday, June 12, 2017 8:35 PM
  • Thanks for your input.

    I just realized that I may have forgotten to mention a small but not insignificant piece of information.
    This did work on this machine earlier. This makes it very frustrating.

    Tuesday, June 13, 2017 1:21 PM
  • I'm also having this problem.  Same exact problem.  VM won't log into one drive.
    Tuesday, August 15, 2017 5:38 PM
  • I'm also having this problem.  Same exact problem.  VM won't log into one drive.

    I'm having the same issue in Edge, IE, Firefox and Chrome--unless I enable a VPN--same browsers, same connection. Just passing traffic through a VPN plugin makes the difference.

    Sharon Peralta

    Thursday, September 7, 2017 3:15 PM
  • If you are still facing such problem, go and open it into any proxy site such as kproxy.com, proxysite.com, secureproxysite.com, etc.

    Hope it will help..!!

    Regards

    Mukesh Chandra

    ******************************************************************************************

    Plz remember to mark the reply as answer if it helps,


    A VPN accomplishes much the same thing as noted. The question is why is it necessary and what does it accomplish from Microsoft's perspective of serving the login page or accepting credentials?


    Sharon Peralta

    Friday, September 8, 2017 11:34 AM
  • I had the same problem but none of these solutions worked. I was able to finally get it to work by adding *.msftauth.net to my Trusted Sites list along with the others listed above.
    Friday, December 20, 2019 10:54 PM