locked
Office 365 - Still requests username RRS feed

  • Question

  • Hi,

    For the purpose of this my domain will be company.com.

    When trying to access https://portal.office.com from a domain joined machine I am presented with the Office 365 login page.

    If I type in a username and press tab to type a password it auto validates before a password is entered and takes me to the Office Portal. It is worth pointing out it does not matter what username I use (valid or not) so long as it is followed by @company.com it signs into the Office Portal as the logged in user. 

    This to me confirms that ADFS is setup correctly. I have also tested it with the Microsoft Connectivity Analyser. All good.

    I have added *.company.com, *.portal.office.com, *.microsoftonline.com all to Zone 1 (Intranet) via GPO. Have also confirmed "Logon options" is set to "Automatic logon only in Intranet zone"

    I can only assume I must be missing a setting somewhere for this last step to eliminate the requirement for a domain joined PC\User having to type in a username.

    ADFS 3 (Server 2012 R2) Web Proxy (Server 2012 R2)

    Cheers,


    Zac Avramides

    Tuesday, May 3, 2016 5:46 AM

All replies

  • What do you mean by "request the user name"? You mean you are prompted with a pop-up? Or presented with the formed based auth?

    1. Make sure your internal clients are resolving the IP address of your ADFS farm FQDN to the internal farm (so the actual servers, not the WAP).
    2. Make sure the user-agent string of your internal clients are listed in the list of supported agent strings for WIA (to play the SSO).

    Note that only the FQDN of your ADFS farm have to be added to the Intranet zone. Not the *.portal.office.com nor *.microsoftonline.com.

    Tell us if you need assistance on those two points.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, May 3, 2016 3:08 PM
  • Hi Pierre,

    When I say "request the user name" I mean when I load https://portal.office.com I am redirected to https://login.microsoftonline.com/login.srf.......................... and presented with this page. Typing in a valid username as mentioned previously and then pressing tab or clicking out of the username textbox will validate correctly and login without a password being required.

    

    Yes sts.company.com resolves to the IP address of the ADFS Server not the proxy.

    I am unsure what you mean by point 2.

    Have tested in IE and Chrome. Both are showing the same.


    Zac Avramides

    Tuesday, May 3, 2016 10:19 PM
  • After some Googling I think you may be referring to the below.

    Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents

    MSIE 6.0
    MSIE 7.0
    MSIE 8.0
    MSIE 9.0
    MSIE 10.0
    Trident/7.0
    MSIPC
    Windows Rights Management Client
    Mozilla/5.0

    I had added in Mozilla the other day to cover Chrome and as I understand it that also covers IE11


    Zac Avramides

    Tuesday, May 3, 2016 10:55 PM
  • So you type your email in the login page, you get redirected to your ADFS server and you have to re-enter your email?

    Do you mind sharing the URL that you are redirected to once you typed your email address? It should start with https://<URL of your ADFS farm>....


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, May 6, 2016 7:20 PM
  • Once I type my email into the login page I am redirected to sts.company.com.au which authenticates with nothing else being typed. This then redirects me to the page I was trying to visit originally.

    Zac Avramides

    Sunday, May 8, 2016 10:21 PM
  • When you are redirected to your environment, you should be redirected to this page:

    https://<ADFS FQDN>/adfs/ls/?lc=1033&username=test%40piaudonn.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=<some context>

    Note the username hint in the URL, this enable your ADFS to pre-fill the username field with what you

    previously typed in the login.microsoftonline.com form. What do you see?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, May 9, 2016 1:54 AM
  • Yes that is correct.

    I am then within a few seconds redirected back to the original page I was trying to visit but now logged in.


    Zac Avramides

    Monday, May 9, 2016 1:59 AM
  • You can use the inPrivate mode of IE to ignore the cache and go through the full authentication process again.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, May 11, 2016 7:02 PM