none
Single Sign-on not working correctly

    Question

  • We have setup SSO for our domain, but we are still getting prompted for login credentials. When logging in to portal.microsoftonline.com we type our email then the password box is greyed out and we're prompted to click the 'sign in at fs.dmainc.com'. When I click on this, if I'm on my desktop, (win 7) I usually get right in. But if I'm on my laptop (also win7), I get prompted to put in my user name (domain\username) and password before being let in. I thought with SSO we would only have to us a domain computer and then we would be automatically signed into O365. I have them both connected to the network (wired), and I have several test machines that do the same as my laptop (both XP and 7, and laptops and desktops). I also have users who are having the same prompts. However Lync starts up and signs in just fine, and once I sign in for the day I can close and open as many windows as I want (as long as I don't select log off).

    Mike in IT

    Monday, July 16, 2012 7:40 PM

All replies

  • Anybody out there have any ideas?

    Mike in IT

    Wednesday, July 18, 2012 5:41 PM
  • Come on guys it's been a week, surely someone has seen this before!

    Mike in IT

    Monday, July 23, 2012 12:38 PM
  • Mike,

    2 things need to be performed in order to have no login prompt:
    1. The machine has to be logged into the network and be able to communicate with the DC (this is how ADFS uses your logged-in creds instead of having to type them into the ADFS proxy)
    2. You must have *.microsoftonline.com and *.live.com, as well as the URL for the ADFS server (usually you can simply have *.domain.com) in the INTRANET sites in IE.  The Intranet sites location is key to allowing windows authentication credentials to be passed to a website, otherwise you will always get prompts even for internal websites.

    The way to tell what you are connecting to (by default):
    - If you are getting a login pop-up, you are hitting the ADFS server directly and simply need to add the sites to the Intranet sites in IE
    - If you are being directed to a webpage that requires you to input credentials via Forms-Based Authentication (FBA), then you are being directed to the ADFS Proxy
      - This is usually done when accessing from external to your network (or more specifically, without loging into the local AD/domain)

    Please contact me directly if this has not been resolved as I understand this can be a critical issue for any customer.

    Have a great day,

    Dan


    http://insecurityinc.info

    Wednesday, August 01, 2012 9:56 PM
  • I will have to test this out. for point 1 I'm testing this on the network, so they are able to communicate with the DC. For point 2 I'll have to have my manager do this, he's not in the office today and I'll be on vacation for the next week and a half, so it might be a while before I get back to you. I will be back and let you know how it goes in 2 weeks.

    Mike in IT

    Thursday, August 02, 2012 12:48 PM
  • HI Dan,

    I have the same issue and have performed above mentioned steps by you. My issue is still not resolved. Anything else that you would recommend on this. Thanks.

    Regards

    ImBharat


    MCSE Certified

    Thursday, November 08, 2012 6:16 PM
  • Hi Dan,

    I am facing this issue in my application, the single sign on (sso) which is working perfectly in windows 7 machine.When we are upgrading the system to windows 10 the application is getting prompt for username and password. In fiddler i have monitor that dfsvc did not sent the URL for the authentication.It's a high critical issue for my client concern.Is there any security settings are blocking for windows 10? I have checked with intranet for IE and some changes on GPO.But it dint work out .Please give some suggestions on it .

    Thanks,
    Boopathi

    Monday, February 26, 2018 12:24 PM
  • My seamless sign on was not working even after having set it up correctly. What I found was a simple registry key due to which IE was unable work with seamless sign on.

    Earlier I had pushed "https://autologon.microsoftazuread-sso.com" URL via registry entry into the intranet zone of IE. Although I was able to see this site in intranet zone on client systems, it was not recognized by IE as intranet site.
    Then I tried pushing the same URL in different format which worked for me.
    Registry entry pushed into the "HKEY Current User" hive. where a subkey named "microsoftazuread-sso.com" under zonemap > domains >  of IE settings needs to be created and then add an additional key called "autologon" with dword32 having value "https". below is the exact key.
    "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon"
    Note: Seamless works perfectly if you use "zone to site assignment" GP mentioned in Microsoft document but having this policy in place locks out users from adding any site to intranet zone or trusted site zone. if you use registry entries, it doesn't locks out that section but you need to enter urls in above given format to make it work perfectly.

    I spent whole week to find this exact issue with seamless sign-on. hope this helps someone else.
    Wednesday, April 04, 2018 7:24 AM