locked
SfB 2016 on Mac, blank authentication popup RRS feed

  • Question

  • Hello,

    I am experiencing the following issue when trying to sing in to SfB Online from my Mac.

    This issue happens only on my Mac and not on my PC (same account).

    Build: 16.5.185

    As you can see below, I get a popup that should normally populate with my authentication page but this doesn't happen and all I get is a blank screen.

    Facts:
    Account is working on Safari
    Account is working on Skype for Business on PC
    Account is not MFA enabled
    Account is in AD/ADFS
    I tried using another test account from Microsoft support and it worked properly
    I also tried using this problematic account on Microsoft Lync 2011 on Mac and it worked

    So the issue is with my ADFS accounts and Skype for Business on the Mac.

    I have enabled ADAL on my O365 tenant and my Skype For Business Server as per below and I don't know if that would cause issues.

    https://support.office.com/en-us/article/Enable-Exchange-Online-for-modern-authentication-58018196-f918-49cd-8238-56f57f38d662

    https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx

    Also, according to this support matrix, ADAL is supported on Skype for Business for Mac

    https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

    Microsoft just moved me to Lync and marked the issue resolved! I asked them why is that and they said that the Mac Skype for Business is new and could have issues...

    Any ideas?

    Thursday, April 13, 2017 7:24 PM

All replies

  • Hello,

    To fix your issue, I want to double confirm:
    1. Does this issue occur on all other users in your Office 365 tenant?
    2. Does this issue occur on other account in your Mac PC?
    3. Can you sign in your account with Skype for Business on Mac in a other Mac?

    If this issue only occurs on your account and your Mac PC, please:
    1. Check the Skype for Business update (also Office update), and upgrade it to latest version.
    2. If this issue remain exists after upgrade, try to remove it and re-install again.

    If you get any updates, please be free to let me know, also share your solution if it fixed.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Allen_WangJF Tuesday, April 18, 2017 3:09 AM
    Friday, April 14, 2017 3:17 PM
  • I managed to fix this issue. The problem appears to be the S4B > ADFS 3.0 interaction when -wiasupporteduseragents includes Mozilla/5.0 as per below.

    Get-AdfsProperties | select -expand wiasupporteduseragents)

    MSAuthHost/1.0/In-Domain
    MSIE 6.0
    MSIE 7.0
    MSIE 8.0
    MSIE 9.0
    MSIE 10.0
    Trident/7.0
    MSIPC
    Windows Rights Management Client
    Mozilla/5.0 <-----------this causes the problem
    Edge/12

    I removed this and restarted the ADFS service and I can now login properly as I get the Forms authentication instead of the Integrated Windows authentication (which apparently is not supported on the Mac).

    --

    Alex

    Thursday, May 4, 2017 6:27 PM
  • Mozilla/5.0 <-----------this causes the problem

    Thanks for the info, this resolved the issue and got me on the right track.

    However, please note that removing the above line will BREAK Single Sign On for most browsers other than Internet Explorer.

    The issue here is multi-fold, old documentation suggests adding "Mozilla/5.0" to your useragentstrings in ADFS to support Chrome and Firefox. However, that causes Mac clients and Android and iOS clients to also attempt single sign on which will fail.

    Instead of removing "Mozilla/5.0" update it to be "Mozilla/5.0 (Windows NT"

    This will make sure that only Windows clients will attempt single sign on.

    Also see the following posts about more current settings to use in the UserAgentString:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia

    https://blog.msresource.net/2016/11/18/adfs-iwa-and-the-wiasupporteduseragents-property/

    I was able to use the above two links to get a current list of: (Only works on Server 2016 ADFS due to reg. expression)

    MSAuthHost/1.0/In-Domain
    MSIE 6.0
    MSIE 7.0; Windows NT
    MSIE 8.0
    MSIE 9.0
    MSIE 10.0; Windows NT 6
    Windows NT 6.3; Trident/7.0
    Windows NT 6.3; Win64; x64; Trident/7.0
    Windows NT 6.3; WOW64; Trident/7.0
    Windows NT 6.2; Trident/7.0
    Windows NT 6.2; Win64; x64; Trident/7.0
    Windows NT 6.2; WOW64; Trident/7.0
    Windows NT 6.1; Trident/7.0
    Windows NT 6.1; Win64; x64; Trident/7.0
    Windows NT 6.1; WOW64; Trident/7.0
    MSIPC
    Windows Rights Management Client
    =~Windows\s*NT.*Edge
    Mozilla/5.0 (Windows NT
    MS_WorkFoldersClient
    Using the following command: 
    Set-AdfsProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0", "MSIE 7.0; Windows NT", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0; Windows NT 6", "Windows NT 6.3; Trident/7.0", "Windows NT 6.3; Win64; x64; Trident/7.0", "Windows NT 6.3; WOW64; Trident/7.0", "Windows NT 6.2; Trident/7.0", "Windows NT 6.2; Win64; x64; Trident/7.0", "Windows NT 6.2; WOW64; Trident/7.0", "Windows NT 6.1; Trident/7.0", "Windows NT 6.1; Win64; x64; Trident/7.0", "Windows NT 6.1; WOW64; Trident/7.0", "MSIPC", "Windows Rights Management Client","=~Windows\s*NT.*Edge", "Mozilla/5.0 (Windows NT", "MS_WorkFoldersClient")





    • Edited by Appleoddity Tuesday, August 22, 2017 6:44 PM
    • Proposed as answer by Appleoddity Tuesday, August 22, 2017 6:54 PM
    Tuesday, August 22, 2017 6:39 PM