Share via


Error 80048163 when a federated user tries to sign in to Microsoft 365, Azure, or Intune

Problem

When a federated user tries to sign in to a Microsoft cloud service such as Microsoft 365, Microsoft Azure, or Microsoft Intune from a sign-in webpage whose URL starts with https://login.microsoftonline.com, authentication for that user is unsuccessful. The user gets the following error message:

Sorry, but we're having trouble signing you in

Please try again in a few minutes. If this doesn't work, you might want to contact your admin and report the following error:
80048163

Cause

This issue may occur if one of the following conditions is true:

  • A user's UPN was updated, and old sign-in information was cached on the Active Directory Federation Services (AD FS) server. When the SAM account of the user is changed, the cached sign-in information may cause problems the next time that the user tries to access services.
  • The claims that are set up in the relying party trust with Microsoft Entra ID return unexpected data. This behavior may occur when the claims that are associated with the relying party trust are manually edited or removed.

Solution

Resolution 1: Disable Local Security Authority (LSA) credential caching on the AD FS server

You can update the LSA cache time-out setting on the AD FS server to disable caching of Active Directory credential info. Use this method with caution. It may put an additional load on the server and Active Directory.

Important

This method contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more info about how to back up and restore the registry, click the following article number to view the article How to back up and restore the registry in Windows.

To resolve this issue, follow these steps:

  1. Make sure that the changes to the user's UPN are synced through directory synchronization.

  2. Direct the user to log off the computer and then log on again.

  3. If steps 1 and 2 don't resolve the issue, follow these steps:

    1. Open Registry Editor, and then locate the following subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    2. Right-click Lsa, click New, and then click DWORD Value.

    3. Type LsaLookupCacheMaxSize, and then press ENTER to name the new value.

    4. Right-click LsaLookupCacheMaxSize, and then click Modify.

    5. In the Value data box, type 0, and then click OK.

    6. Exit Registry Editor.

LsaLookupCacheMaxSize reconfiguration can affect sign-in performance, and this reconfiguration isn't needed after the symptoms subside. This method should be used only temporarily, and we strongly recommend that you delete the LsaLookupCacheMaxSize value after the issue is resolved. To do this, follow these steps:

  1. Open Registry Editor, and then locate the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  2. Right-click LsaLookupCacheMaxSize, and then click Delete.

  3. Exit Registry Editor.

Resolution 2: Update the relying party trust with Microsoft Entra ID

To update the relying party trust, see the "How to update the configuration of the Microsoft 365 federated domain" section of the following Microsoft article:

How to update or repair the settings of a federated domain in Microsoft 365, Azure, or Intune

More information

Still need help? Go to Microsoft Community or the Microsoft Entra Forums website.