locked
Requested Authentication Method is not supported on the STS. SFB RRS feed

  • Question

  • Hi,

    We have on prem - Sfb 2015 all latest CU (including DEC 2017)
    ADFS - running Server 2016 (Forms auth is enabled for both internal and external + windows auth for internal)

    ADFS site is added to trusted sites in IE. 

    Added 'Mozilla/4.0' to WIASupportedUserAgents.

    Everything was working fine more or less , but since we have had problems with when authenticating via Azure AD users are always prompted for credentials , so we decided to install all latest windows updates for Win Server 2016. After installing cumulative update : KB4048953(I know there is newer CU came out tonight, but it doesn't solve the problem) we've started experiencing following issue after typing in sip address : 

    

    Below event from event viewer at ADFS server:

    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    OAuthAuthorizationProtocol 

    Relying Party: 
    https://external.pool.address/ 

    Exception details: 
    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.


    1/11 UPDATE: Apparently not specifically KB4048953 broke the thing.. Since it was clean w2016 deployment, and at that time described KB was latest. So something before that from updates. 
    • Edited by Maksim Chakov Thursday, January 11, 2018 9:22 AM update
    Wednesday, December 13, 2017 4:06 PM

Answers

  • If anyone will experience anything similar - this is problem with SFB client itself because it is using ADAL 1.0, but ADFS already expects 1.1.x. In order to resolve this you should switch your office updates to Monthly (Current) Channel - https://support.microsoft.com/en-us/help/3185078/how-to-switch-from-deferred-channel-to-current-channel-for-the-office

    That's it. 

    P.S. Semi-annual (deferred) channel will receive needed update in July 2018

    • Marked as answer by Maksim Chakov Thursday, March 15, 2018 7:50 PM
    Thursday, March 15, 2018 7:49 PM

All replies

  • We'll need the security event showing the actual requested method.

    You can also share a fiddler trace, and we'll see the flow...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, December 20, 2017 2:58 PM
  • Does this issue only occurs when using SfB-app?
    Does logon to portal.office.com works from internal network?
    Have you enabled modern auth or something like that?

    Thursday, December 21, 2017 8:28 AM
  • We'll need the security event showing the actual requested method.

    You can also share a fiddler trace, and we'll see the flow...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Hi Pierre,

    THIS is URL to fiddler trace.

    In event log at adfs server under "Security" tab nothing appears at skype login. Please advise if i'm missing something. 

    Sunday, December 24, 2017 6:16 PM
  • Does this issue only occurs when using SfB-app?
    Does logon to portal.office.com works from internal network?
    Have you enabled modern auth or something like that?

    Hi Jorrk,

    Unfortunately this adfs server is only for SFB, so can't tell for sure. 

    Tried passive auth for sfb web apps. Same result. 

    Portal.office.com works fine (before server 2016 CU everything worked fine as well).

    Modern authentication is enabled for SFB on prem. ADFS is deployed in same network\domain. 

    Sunday, December 24, 2017 6:22 PM
  • Anything please ?
    Thursday, January 11, 2018 8:27 AM
  • If anyone will experience anything similar - this is problem with SFB client itself because it is using ADAL 1.0, but ADFS already expects 1.1.x. In order to resolve this you should switch your office updates to Monthly (Current) Channel - https://support.microsoft.com/en-us/help/3185078/how-to-switch-from-deferred-channel-to-current-channel-for-the-office

    That's it. 

    P.S. Semi-annual (deferred) channel will receive needed update in July 2018

    • Marked as answer by Maksim Chakov Thursday, March 15, 2018 7:50 PM
    Thursday, March 15, 2018 7:49 PM