locked
Problem with ADFS authentication to Office 365 on Windows v1703 Creators Edition RRS feed

  • Question

  • Hi,

    I am seeing an ADFS authentication error when running:

    ADFS 3.0 on Windows Server 2012

    Microsoft Office 365 ProPlus (version 1706 Build 8229.2103)

    Windows 10 Professional v1703 (15063.483)

    In Excel, if I Sign Out and attempt to Sign back in using my Office 365 account via Word or Excel, etc, I see:

    ADFS

    An error occurred

    The ADFS Server logs show:

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:

    wsfed

    Relying Party:

    urn:federation:MicrosoftOnline

     

    Exception details:

    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

       at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean isOnWiaEndpoint, Boolean& validAuthMethodsInToken)

       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)

       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)

       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

     

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    This ONLY happens on a few computers running Windows 10 v1703.  All of the other computers running Windows 10 v1607 are fine.

    Any ideas?

    Cheers,

    Richard

    Thursday, July 27, 2017 5:52 AM

Answers

  • Had a simular issue. The support rep send me this link and after tsting no more problems! https://support.microsoft.com/en-gb/help/4025962/can-t-sign-in-after-update-to-office-2016-build-16-0-7967-on-windows-1
    Thursday, March 8, 2018 6:54 PM

All replies

  • I believe this to be a bug introduced in a recent version of Outlook. Basically, Outlook has switched from using the MSIE Trident engine to the Edge engine for ADFS prompts.

    Version 16.0.8201.2193 of Outlook uses the MSIE engine. When the request hits ADFS, it hits the Windows Integrated Authentication page: https://ibb.co/fvQ3mG

    But this is what happens with version 16.0.8431.2094. It hits a different URL, it asks for Password authentication, and appears to be using the Edge engine: https://ibb.co/bwmtmG

    I have found many suggestions on the web that say you should enable forms-based authentication. Of course, that defeats the entire purpose of having SSO. But, if on you ADFS server you enable forms-based authentication for testing, then Outlook will NOT show that error, and it will prompt you for username/password instead.

    I have a case open with Microsoft about this, and we shall see what they say. I am surprised we are not seeing more people experiencing this same issue, although I cannot imagine many people will be using Win10 1703 in an enterprise environment just yet. Meanwhile switching back to an older version of Outlook should get rid of the problem.

    Friday, October 6, 2017 4:27 PM
  • Richard;

    I'm interested as to whether yo ugot anywhere with this a we have a similar issue. Namely:

    • Working Environment; From a Windows10 1511 endpoint running Office365ProPlus, for a user selecting <File>, <Account> and <Sign In> [from within, for example, WinWord]; the Office365ProPlus client successfully authenticates to Office365 by acquiring a token from our OnPremise ADFS server using WindowsIntegratedAuthentication [WIA] (utilises SingleSignOn [SSO]).
    • Non-Working Environment; From a Windows10 1703 endpoint running Office365ProPlus, for a user selecting< File>, <Account> and <Sign In> [from within, for example, WinWord]; the Office365ProPlus client fails to authenticate to Office365:

    Enabling FormsBasedAuthentication [FBA] on the IntraNet interface of our ADFS3_0 server will prevent the aforementioned error but that's effectively allowing ADFS3_0 to fall back to using FBA and thus isn't SSO; i.e. the user will be prompted for their on-premise password.

     

    We've spoken to PSS; the PSS Analyst assigned to the case was helpful and knowledgeable but the case concluded with a statement that, what we’re seeing is anticipated behaviour (by design) for Windows10 1703.

     

    FWIW I’m able to confirm that SSO to Office365 web services such as SharePointOnline isn’t impacted; i.e. ADFS / WIA / SSO is working.

     

    I wondered whether other comparable environments displayed these symptoms or whether anybody has gotten this working.


    • Edited by LID Friday, October 6, 2017 4:39 PM
    Friday, October 6, 2017 4:38 PM
  • I am experiencing the same issue. Latest version of Office365 + Win1703 and SSO fails out as well. Same events logged in adfs server as Davide. I will be opening a case on this, as this is not acceptable to be "working as intended" It worked for the past 2 years just fine, now we have other issues creeping up because of this. Enabling forms is not a preferred solution as we don't want users being prompted for credentials when its not necessary.
    Thursday, October 26, 2017 8:39 PM
  • So I did some digging and it appears that what LID stated is true, and is intended behavior. However, there is a solution.

    Step 1: Do the two items at this link:

    How to troubleshoot sign-in issues with Office modern authentication when you use AD FS

    Step 2: Enable Modern Auth in Exchange Online if your tenant was created BEFORE August 1st, 2017:

    Exchange Online: How to enable your tenant for modern authentication

    Step 3: Enable Modern Auth for Skype Online (includes Teams) if your tenant was created BEFORE August 1st:

    Skype for Business Online: Enable your tenant for modern authentication

    After this SSO "should" work on domain joined workstations and the Office apps should SSO as well or provide a Forms based auth for ADFS for non domain joined devices including iOS and Android. You can also now enable MFA for your users.

    I would make sure the following sites are added to your trusted sites zone via GPO just in case:

    *.office.com

    *.office365.com

    *.live.com

    *.microsoftonline.com

    *.skype.com

    *.sharepoint.com

    Reference:

    Modern authentication behavior across Office 2013 and Office 2016

    Office Modern Auth & ADFS: Making it work


    • Proposed as answer by John Dooeh Friday, October 27, 2017 2:46 PM
    • Edited by John Dooeh Friday, October 27, 2017 2:56 PM
    Friday, October 27, 2017 2:41 PM
  • We are impacted by this issue as well. John's solution doesn't appear to help. We already have modern auth enabled on our tenant, and enabling the "/adfs/services/trust/13/windowstransport" endpoint doesn't seem to fix the problem. Windows 10 1703 in the Office 365 ProPlus Semi-Annual channel is still getting forms auth prompts rather than WIA SSO. All other OS's seem unaffected. 

    If a Microsoft rep is on this forum, please relay this to management: making changes such as this without notification is completely unacceptable. Your support teams aren't even aware of the change based off my interaction with them about this issue. 
    Thursday, November 2, 2017 5:23 PM
  • I've opened a ticket with MS and they will be sending this issue to the Developers.  I will update this form when I hear anything. 
    Tuesday, December 12, 2017 7:32 PM
  • Hi ,

    Interested to know the answer from MS . pls let us know if you have received any .

    By the way if Edge is being used then adding WIASupportedUserAgents ”Edge/12" as supported agent in ADFS  helps ?

    Friday, December 15, 2017 6:40 AM
  • I have the ticket open with MS.  They have determined it is an issue and now has been sent on to the developers. Looks like this may be fixed in a hotfix or a new version release. 
    Thursday, January 18, 2018 1:07 PM
  • We're seeing the same issue here with Microsoft Office 365 ProPlus 1708 (8431.2153) on Windows 10 Enterprise 1709.  We have not seen the issue on Windows 10 1607.

    Being that 1607 goes end of life in March, we really need a solution to this issue as we will need to upgrade to 1709 soon.

    Monday, January 22, 2018 9:38 PM
  • Considering that 1708 has now been pushed to the Semi-Annual channel (formerly deferred), this issue is now impacting a wide group of our organization. We are considering holding off on ProPlus updates entirely considering this blatant lack of quality control (this issue has been present since 1708 was in the first release channel, and apparently was ignored). Office 365 support is in denial and is insisting it is an issue with our environment. The last tech wanted us to blow away our ADFS.

    Can someone from Microsoft chime in here and confirm this issue is being fixed?

    Wednesday, January 24, 2018 8:09 PM
  • I just got off the phone with MS and they are expecting a resolution by the end of this quarter, barring any issue with testing. Most likely the 1804 release. If there are issues with testing then the fix would be the end of the following quarter.

    • Proposed as answer by dabriggs Thursday, January 25, 2018 5:48 PM
    Thursday, January 25, 2018 5:26 PM
  • I've been fighting with this issue as well.  We only just got our Office 2016 updates working through SCCM and now the update is breaking the automatic activation!

    DanWare

    Monday, March 5, 2018 8:26 PM
  • Had a simular issue. The support rep send me this link and after tsting no more problems! https://support.microsoft.com/en-gb/help/4025962/can-t-sign-in-after-update-to-office-2016-build-16-0-7967-on-windows-1
    Thursday, March 8, 2018 6:54 PM
  • I can confirm this is as the 'answer'.  I also found that article and applied the registry change via GPO as a 'workaround'.

    It's not a 'fix' because it just disables modern authentication.  I read on another forum that MS was working on a real fix in a future release of Office. Maybe 1804?  I wonder if Pierre or another MS employee would care to confirm?


    DanWare

    Thursday, March 8, 2018 8:05 PM
  • I've been fighting with this same exact issue since the start of 2018. We are using SCCM to manage/deploy Office365. All computers have been set with a compliance to be Semi-Annual/Deferred channel.

    It seems right in January they started pushing 1708 along side of 1705 in the same channel. I've merely set in Group Policy to allow Office2016 to update to a specific version until this is resolved. To this point we did not have modern authentication enabled. In January that was the advice that Microsoft support gave us based off the error that 1708 produced.

    Recently we enabled modern auth and the issue continued on the 1708 unless you add the reg key.

    Many of our installs of Office365 have also been going to a state of "Unlicensed Product." A particular command can now be ran to remove expired license to from the "belongs to" statement that will be in Office365. After that it re-activates correctly.

    I'm hoping modern auth will resolve some issues.

    Thursday, April 19, 2018 9:05 PM