/
Modern  Auth  – How It Works and What To Do When It Doesn’t! Modern  Auth  – How It Works and What To Do When It Doesn’t!

Modern Auth – How It Works and What To Do When It Doesn’t! - PowerPoint Presentation

alexa-scheidler
alexa-scheidler . @alexa-scheidler
Follow
362 views
Uploaded On 2018-10-04

Modern Auth – How It Works and What To Do When It Doesn’t! - PPT Presentation

Tom Batcheler Jonas Gunnemo Sr Product Marketing Manager Sr Escalation Engineer BRK3215 Modern Authentication amp ADAL Modern Authentication OAuth Based Auth for Office Clients against Office365 ID: 684239

outlook token microsoft access token outlook access microsoft office user 200 authurl refresh 2016 open modern http evosts authentication adal identity mbx

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Modern Auth – How It Works and What ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Modern Auth – How It Works and What To Do When It Doesn’t!

Tom Batcheler Jonas GunnemoSr. Product Marketing Manager Sr. Escalation Engineer

BRK3215Slide2

Modern Authentication & ADALSlide3

Modern Authentication

OAuth Based Auth for Office Clients against Office365EnablesNo more basic auth for Outlook!Multi-factor authentication

Support for third party

STSes

Conditional access

Supported across platforms:

iOS, OS X, Android, WindowsSlide4

Modern Authentication

HistoryTwitter, Ma.gnolia, Google“Secure delegated access" OAuth is an open standardAuth

2.0 2012

Why Enterprises like it?

Authenticated against own environment

No Password Slide5

Modern Authentication

Client Support

Windows

Mac OS X

Windows Phone

iOS

Android

Office Clients

(2013 & 2016)

(Office 2016 Mac Preview supports ADAL including Word, Excel, PowerPoint and OneNote)

(Available for Phones. Tablets coming soon)

Skype for Business

(In Preview)

Coming soon

(Not recommended for split domain configuration with Skype for Business Online and Skype for Business Server)

(Not recommended for split domain configuration with Skype for Business Online and Skype for Business Server)

Outlook

Coming soon

OneDrive for Business

Coming soon

Legacy clients

There are no plans for

Office 2010

or

Office 2007

to support ADAL-based authentication.

There are no plans for Office for Mac 2011 to support ADAL-based authentication.

There are no plans for Office on Windows Phone 7 to support ADAL-based authentication.

There are no plans to enable older Outlook iOS clients.

There are no plans to enable older Outlook Android clients.Slide6

Modern Authentication - Microsoft

Microsoft Office 2013Version:MSIC2RUpdatesOutlook , Word, Excel, PowerPoint, etc.

ADAL.dll (orgidcrl.msp)

MSI, C2R

Office 2016

Versions:

MSI

C2R

Channels:

CC, FRDC, DC

Testing:

Rings

https://blogs.technet.microsoft.com/office_sustained_engineering/Slide7

Microsoft Office 2013 - Updates

History<2007Cumulative Updates (CU) Release cadence: Feb, April, June, Aug, Oct, DecAvailability: Download Center and Microsoft Catalog

Public Updates (PU)

Security Updates

Availability:

Microsoft Update, Download Center and Microsoft Catalog

Today

Public Updates

Release cadence: Every Month

Security Updates - Patch Tuesday

Availability:

Microsoft Update, Download Center and Microsoft Catalog

MSI, C2R

Non-security Updates - 1

st

Tuesday of the Month

Availability: Download Center and Microsoft CatalogMSI

https://blogs.technet.microsoft.com/office_sustained_engineering/Slide8

Microsoft Office 2016 - Updates

MSIWhat: Public Updates Release cadence: Every Month When: Patch Tuesday What: Non-security Updates

Release cadence: Every Month

When: 1

st

Tuesday of the Month

C2R

Update versions:

Current Channel

First Release Deferred Channel

Deferred Channel

Testing:

RingsSlide9

Microsoft Office 2016 - Rings

Our rollout planDeveloper/Feature TeamTeam(s)MicrosoftInsidersCustomersSlide10

Microsoft Office 2016 - Rings

Our role out planDeveloperTeam(s)MicrosoftInsidersCustomersSlide11

Microsoft Office 2016 - Rings

Our role out planDeveloperTeam(s)MicrosoftInsidersCustomersSlide12

Modern Authentication - Microsoft

Microsoft Office 2013Version:MSIC2RUpdatesOutlook , Word, Excel, PowerPoint, etc.

ADAL.dll (orgidcrl.msp)

MSI, C2R

Office 2016

Versions:

MSI

C2R

Channels:

CC, FRDC, DC

Testing:

Rings

https://blogs.technet.microsoft.com/office_sustained_engineering/Slide13

Exchange Online

Authority

Identity Provider

(AD FS or other)

Directory

On Premises

SAML

Token

Access and

Refresh

Tokens

Windows Azure Active Directory

Identity Provider (

EvoSTS

)

Directory

MSO

Authentication stack

HTTP transport stack

ADAL

Web Browser

Lync Online

SharePoint Online

Access

Token

Password Prompt in Outlook – what caused it?Slide14

Stockholm – Frankfurt - AtlantaSlide15

Modern AuthenticationSlide16

Modern

Auth

(Federated Identities)

User

Outlook

SPO/EXO

(open a link)

Open MBX(no token)

401: need token from [

authURL

]

EvoSTS

trust

AD FS

federationSlide17

Tokens

Airline Ticket

Boarding PassSlide18

Tokens

Refresh TokenUPN specificLonger livedValid for 14 days - up to 90dStored in Credential Store:

MicrosoftOffice16_Data:ADAL:<GUID>

Access Token (Bearer)

Specific resource

Short lived

Valid 1 hour

Stored in registry:

HKEY_CURRENT_USER\Software\Microsoft\

Office\version\Common\Identity\Identities\

<GUID>_ADALSlide19

Tokens

Refresh TokenUPN specificLonger livedValid for 14 days - up to 90dStored in Credential Store:

MicrosoftOffice16_Data:ADAL:<GUID>

Access Token (Bearer)

Specific resource

Short lived

Valid 1 hour

Stored in registry:

HKEY_CURRENT_USER\Software\Microsoft\

Office\version\Common\Identity\Identities\

<GUID>_ADALSlide20

Tokens

Refresh TokenUPN specificLonger livedValid for 14 days - up to 90dStored in Credential Store:

MicrosoftOffice16_Data:ADAL:<GUID>

Access Token (Bearer)

Specific resource

Short lived

Valid 1 hour

Stored in registry:

HKEY_CURRENT_USER\Software\Microsoft\

Office\version\Common\Identity\Identities\

<GUID>_ADALSlide21

Tokens

Refresh TokenUPN-specificLonger livedValid for 14 days - up to 90dStored in Credential Store:

MicrosoftOffice16_Data:ADAL:<GUID>

Access Token (Bearer)

Specific resource

Short lived

Valid 1 hour

Stored in registry:

HKEY_CURRENT_USER\Software\Microsoft\

Office\version\Common\Identity\Identities\

<GUID>_ADAL

User credentials/passwords are never cached! We only store tokens.Slide22

User experience

Users prompted more often?When the refresh token is no longer validAdmin policies can result in users needing to sign-in againSlide23

Modern auth (Federated Identities)

User

Outlook

EXO

EvoSTS

trust

AD FS

federationSlide24

Azure AD federation compatibility list

aka.ms/SSOProvidersAzure Active DirectoryOptimal IDM Virtual Identity Server Federation Services

PingFederate

6.11

PingFederate

7.2

PingFederate

8.x

Centrify

IBM Tivoli Federated Identity Manager 6.2.2 SecureAuth

IdP

7.2.0

CA SiteMinder 12.52 RadiantOne CFS 3.0

Okta

OneLogin

NetIQ Access Manager 4.0.1

BIG-IP with Access Policy Manager BIG-IP ver. 11.3x – 11.6x

VMware Workspace Portal version 2.1

Sign&go

5.3

IceWall

Federation Version 3.0

CA Secure Cloud

Dell One Identity Cloud Access Manager v7.1

AuthAnvil

Single Sign On 4.5

Slide25

Multifactor Authentication?

User

Outlook

EXO

(open a link)

Open MBX(no token)

401: need token from [

authURL

]

GET [on-

prem

authURL

] / 200: (show login page)

(browser Control)

(enter username)

(verify

username/password)

Open MBX(access token)

200: (return access/refresh token)

302: (go to on-

prem

STS [

authURL

])

(enter Username/password)

302: (go to

EvoSTS

, with SAML token)

POST [SAML Token]

GET [

authURL

] / 200: (show login page)

(cache refresh token)

EvoSTS

trust

AD FS

federationSlide26

Multifactor Authentication

User experienceFrequencySign-inFactors; knows, has and is

Office 365 experience

Phone

TimeSlide27

EvoSTS

manages

MFA process

Windows Azure Active Directory

Identity Provider (

EvoSTS

)

Directory

Multi-Factor AuthenticationSlide28

Modern auth (Federated Identities)

User

Outlook

EXO

(open a link)

Open MBX(no token)

401: need token from [

authURL

]

GET [on-

prem

authURL

] / 200: (show login page)

(browser Control)

(enter username)

(verify

username/password)

Open MBX(access token)

200: (return access/refresh token)

302: (go to on-

prem

STS [

authURL

])

(enter Username/password)

302: (go to

EvoSTS

, with SAML token)

POST [SAML Token]

GET [

authURL

] / 200: (show login page)

(cache refresh token)

EvoSTS

trust

AD FS

federationSlide29

Initial Connection

POST https://outlook.office365.com/mapi/emsmdb/?MailboxId=agd3482b1-d18e-4cae-952b-5ad875ase3e3bd@contoso.com HTTP/1.1

Content-Type: application/

mapi

-http

Accept:

application/

mapi

-http

Authorization: Bearer

User-Agent: Microsoft Office/15.0 (Windows NT 6.3; Microsoft Outlook 15.0.4783; Pro)

Client-Request-Id:

{

5A866872-7E74-440E-88C9-48D30A6DBB41

}

X-

ClientApplication

: Outlook/15.0.4783.1000

X-User-Identity:

john.doe@contoso.com

X-

RequestId

: {8E871543-8042-420E-95F2-F170DF1D6E62}:1

X-

RequestType

: Connect

Host: outlook.office365.comSlide30

Initial Connection

POST https://outlook.office365.com/mapi/emsmdb/?MailboxId=agd3482b1-d18e-4cae-952b-5ad875ase3e3bd@contoso.com HTTP/1.1

Content-Type: application/

mapi

-http

Accept:

application/

mapi

-http

Authorization: Bearer

User-Agent: Microsoft Office/15.0 (Windows NT 6.3; Microsoft Outlook 15.0.4783; Pro)

Client-Request-Id:

{

5A866872-7E74-440E-88C9-48D30A6DBB41

}

X-

ClientApplication

: Outlook/15.0.4783.1000

X-User-Identity:

john.doe@contoso.comb

X-

RequestId

: {8E871543-8042-420E-95F2-F170DF1D6E62}:1

X-

RequestType

: Connect

Host: outlook.office365.comSlide31

Initial Connection

POST https://outlook.office365.com/mapi/emsmdb/?MailboxId=agd3482b1-d18e-4cae-952b-5ad875ase3e3bd@contoso.com HTTP/1.1

Content-Type: application/

mapi

-http

Accept:

application/

mapi

-http

Authorization: Bearer

User-Agent: Microsoft Office/15.0 (Windows NT 6.3; Microsoft Outlook 15.0.4783; Pro)

Client-Request-Id:

{

5A866872-7E74-440E-88C9-48D30A6DBB41

}

X-

ClientApplication

: Outlook/15.0.4783.1000

X-User-Identity:

john.doe@contoso.com

X-

RequestId

: {8E871543-8042-420E-95F2-F170DF1D6E62}:1

X-

RequestType

: Connect

Host: outlook.office365.comSlide32

Initial Response

HTTP/1.1 401 Unauthorized

request-id: f910d760-5a2f-4457-bade-5671824e8576

X-

CalculatedBETarget

: DM2PR06MB848.namprd06.prod.outlook.com

X-

BackEndHttpStatus

: 401

X-

RequestId

: {8E871543-8042-420E-95F2-F170DF1D6E62}:1

X-

DiagInfo

: DM2PR06CA9994

X-

BEServer

: DM2PR06CA9994

X-

FEServer

: SN2PR80CA033

WWW-Authenticate: Bearer

client_id

="00000002-0000-0ff1-ce00-000000000000",

trusted_issuers

="00000001-0000-0000-c000-000000000000@*",

token_types

="app_asserted_user_v1 service_asserted_app_v1",

authorization_uri

="https://login.windows.net/common/oauth2/

authorize",Basic

Realm="",Basic Realm=""Slide33

Modern auth (Federated Identities)

User

Outlook

EXO

(open a link)

Open MBX(no token)

401: need token from [

authURL

]

GET [on-

prem

authURL

] / 200: (show login page)

(browser Control)

(enter username)

(verify

username/password)

Open MBX(access token)

200: (return access/refresh token)

302: (go to on-

prem

STS [

authURL

])

(enter Username/password)

302: (go to

EvoSTS

, with SAML token)

POST [SAML Token]

GET [

authURL

] / 200: (show login page)

(cache refresh token)

EvoSTS

trust

AD FS

federationSlide34

ADFS Response

HTTP/1.1 200 OKConnection: Keep-AliveContent-Length: 16056Expires: -1

Date: Wed, 20 Apr 2016 14:27:56 GMT

Content-Type: text/html; charset=utf-8

Server: Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0

Cache-Control: no-

cache,no

-store

Pragma: no-cache

x-frame-options: DENY

<!DOCTYPE html>

<html

lang

="

en

-US">

< …

ADFS Forms Based

Auth

page code

…>

</html>Slide35

EvoSTS returns tokens

HTTP/1.1 200 OKContent-Type: application/json; charset=utf-8

x-

ms

-request-id: 6244ce53-096a-48e3-9a61-b3d517d7625b

client-request-id: ae8dab57-535b-4ab3-b2d7-b4c17180d9fe

{"token_type":"Bearer","scope":"

user_impersonation

Contacts.ReadWrite

Calendars.ReadWrite

Mail.Send Mail.ReadWrite Group.ReadWrite.All

Files.ReadWrite.All","

expires_in":"3600

","

expires_on":"1463515539","not_before":"1463511639","resource":"https://outlook.office365.com/","access_token":"eyJ0eXAi…","refresh_token":"AAABAAAAiL9K…"Slide36

Access granted

HTTP/1.1 200 OKContent-Type: application/mapi-http

request-id: 7d8640e6-9d97-4013-b98e-b1eb6448bbf5

X-

BackEndHttpStatus

: 200

Set-Cookie:

MapiRouting

=UlVNOjcwNmVkN2NkLTc1MjMtNDIxMS1hYTk2LTdlNWQ3YjBjODI3MDqkiig+hn7TCA==; path=/

mapi

/; secure;

HttpOnly

Set-Cookie:

MapiContext

=

MAPIAAAAAOer

/q78zfW4+sr+zvrZ69vq3PHB9Nno3//P+ML3xvzN+KKBs4KwiLGHvoa2gagOAAAAAAAA; path=/mapi

/

emsmdb

; secure;

HttpOnly

Set-Cookie:

MapiSequence

=0-UO0MYQ==; path=/

mapi

/

emsmdb

; secure;

HttpOnly

X-

RequestType

: ConnectSlide37

Frankfurt - AtlantaSlide38

Existing Refresh TokenSlide39

Access/refresh token exchange

User

Outlook

EXO

EvoSTS

Access MBX

(w/expired Access Token)

401: Access Token invalid [

AuthURL

]

(request new Access Token with Refresh Token)

Open MBX(access token)

200: return MBX

200: return new access token

POST https://outlook.office365.com/mapi/emsmdb/?MailboxId=91158760-975b-4018-a0cb-cb562919d98e@contoso.onmicrosoft.com HTTP/1.1

Content-Type: application/

mapi

-http

Accept: application/

mapi

-http

Authorization: Bearer eyJ0eXAi…Slide40

Access/refresh token exchange

User

Outlook

EXO

EvoSTS

Access Document

(w/expired Access Token)

401: Access Token invalid [

AuthURL

]

(request new Access Token with Refresh Token)

Open MBX(access token)

200: return doc

200: return new access tokenSlide41

Administrator Options

Client access filteringAD FS feature, inspects headersLimited set of tools for controlling accessCannot inspect OAuth traffic

Conditional Access Policies

Must use Modern Authentication

Granular and relevant access control

Control based on a broad range of factors

Office365Slide42

Access/refresh token exchange

User

Outlook

EXO

EvoSTS

Access Document

(w/expired Access Token)

401: Access Token invalid [

AuthURL

]

(request new Access Token with Refresh Token)

Open MBX(access token)

200: return doc

200: return new access tokenSlide43

Customer Scenarios

Modern Auth

Not working

Outlook Disconnected at Startup

Outlook 2016 works, 2010 does not

Outlook 2016 works, 2013 does not

Outlook 2013 keeps promptingSlide44

Modern Auth Not working

EnvironmentFederatedOutlook 2013Outlook 2016Problem

Outlook is not using Modern AuthenticationSlide45

Modern

Auth

Not working

User

Outlook

EXO

(open a link)

Open MBX(no token)

401: need token from [

authURL

]

GET [on-

prem

authURL

] / 200: (show login page)

(browser Control)

(enter username)

(verify

username/password)

Open MBX(access token)

200: (return access/refresh token)

302: (go to on-

prem

STS [

authURL

])

(enter Username/password)

302: (go to

EvoSTS

, with SAML token)

POST [SAML Token]

GET [

authURL

] / 200: (show login page)

(cache refresh token)

EvoSTS

trust

AD FS

federationSlide46

Modern Auth Not working

StepsVersion – 2013/2016UpdatesHKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\

Dword

:

EnableADAL

0 / 1

http://aka.ms/offcatSlide47

Modern Modern Auth Not working

StepsTenant enabled?Get-OrganizationConfig |

ft

name, *OAuth*

OAuth2ClientProfileEnabled True/False

http://aka.ms/ExoModernAuth

https://aka.ms/SkypePowerShell

Slide48

Modern Authentication does not work

4000000;reason="

Flighting

is not enabled for domain ‘john.doe@contoso.com'.";

error_category

="

oauth_not_available

Latest:

ADALIdentity

::

IsADALDisabledViaExchangeFlighting

returning trueSlide49

Outlook Modern Auth Not working

EnvironmentFederatedOutlook 2013/2016 clientsResolution

Enable tenantSlide50

Outlook Disconnected at Startup

EnvironmentFederated, mailboxes in Office365Outlook 2013100k usersProblem

Starting Outlook, goes into Disconnect

Temp solution, log out / log in from WordSlide51

Outlook Disconnected at Startup

User

Outlook

EXO

(open a link)

Open MBX(no token)

401: need token from [

authURL

]

GET [on-

prem

authURL

] / 200: (show login page)

(browser Control)

(enter username)

(verify

username/password)

Open MBX(access token)

200: (return access/refresh token)

302: (go to on-

prem

STS [

authURL

])

(enter Username/password)

302: (go to

EvoSTS

, with SAML token)

POST [SAML Token]

GET [

authURL

] / 200: (show login page)

(cache refresh token)

EvoSTS

trust

AD FS

federationSlide52

Outlook Disconnected at Startup

User

Outlook

EXO

EvoSTS

Access Document

(w/expired Access Token)

401: Access Token invalid [

AuthURL

]

(request new Access Token with Refresh Token)

200: return new access tokenSlide53

Outlook Disconnected at Startup

FiddlerOutlook loggingMSO Logging[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Debug]"TCOTrace"=dword:00000001%Temp% =>

Outlook.exe.logSlide54

Outlook Disconnected at Startup – TCO Log

016/01/06 12:21:50:104::[14992] ADAL: message='', additionalInformation='Token response is not successful. Status:400 ResponseText:{"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. AADSTS70008: The provided access grant is expired or revoked.\r\

nTrace

ID: 81d398ce-4408-4934-9469-20c738b8cfb6\r\

nCorrelation

ID: d8ca709d-cc95-44f1-b6b2-3a23e2979823\r\

nTimestamp

: 2016-01-06 11:21:51Z","error_codes":[70002,70008],"timestamp":"2016-01-06 11:21:51Z","trace_id":"81d398ce-4408-4934-9469-20c738b8cfb6","correlation_id":"d8ca709d-cc95-44f1-b6b2-3a23e2979823"} Authority: https://login.windows.net/commonClient ID: d3590ed6-52b3-4102-aeff-aad2292ab01cRedirect URI: urn:ietf:wg:oauth:2.0:oobLogin:

john.doe@contoso.comResource

: https://officeapps.live.comCorrelation ID (request): ',

errorCode

='0x00000000'

2016/01/06 12:21:50:104::[14992] ADAL: message='', additionalInformation

='

Webrequest

returns error code:

invalid_grant and error description:AADSTS70002: Error validating credentials. AADSTS70008: The provided access grant is expired or revoked.Slide55

Outlook Disconnected at Startup

User

Outlook

EXO

EvoSTS

Access Document

(w/expired Access Token)

401: Access Token invalid [

AuthURL

]

(request new Access Token with Refresh Token)

Open MBX(access token)

200: return doc

200: return new access tokenSlide56

Outlook Disconnected at Startup

EnvironmentFederated, mailboxes in Office365Outlook 20133rd party SSO provider

Solution

Update MSO.dll Slide57

Outlook Disconnected at Startup - Bonus

EnvironmentFederated, mailboxes in Office365Outlook 2010/2013/2016100k usersProblem

Change Password, Starting Outlook, goes into DisconnectSlide58

Outlook Disconnected at Startup - Bonus

Exchange Online

User Authentication

Windows Azure Active Directory

Identity Provider (

OrgID

)

Directory

Compact

Token

Authority

Identity Provider

(AD FS or other)

Directory

On Premises

SAML

TokenSlide59

Outlook Disconnected at Startup - Bonus

EnvironmentFederated, mailboxes in Office365Outlook 2010/2013/2016100k usersResolution

Update AD FS Servers, 3

rd

Party to latest updateSlide60

Outlook 2016 works, Outlook 2010 does not

EnvironmentPOC, Federated Outlook 2010Outlook 201640 000 users

Problem

Can’t open O365 Calendars after password changeSlide61

Outlook 2016 works, Outlook 2010 does not

EnvironmentPOC, Federated Outlook 2010Outlook 201640 000 usersProblem

Can’t create Outlook 2010 profiles

Can create Outlook 2016 profiles

Can’t create Outlook 2016 profile if disable Modern Authentication

(

EnableADAL

= 0) - HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\Slide62

Outlook 2016 works, Outlook 2010 does not

Exchange Online

User Authentication

Windows Azure Active Directory

Identity Provider (

OrgID

)

Directory

Compact

Token

Authority

Identity Provider

(AD FS or other)

Directory

On Premises

SAML

TokenSlide63

Exchange Online

Authority

Identity Provider

(AD FS or other)

Directory

On Premises

SAML

Token

Access and

Refresh

Tokens

Windows Azure Active Directory

Identity Provider (

EvoSTS

)

Directory

MSO

Authentication stack

HTTP transport stack

ADAL

Web Browser

Lync Online

SharePoint Online

Access

Token

Outlook 2016 works, Outlook 2010 does notSlide64

Outlook 2016 works, Outlook 2010 does not

EnvironmentPOC, Federated Outlook 2010Outlook 201640 000 usersResolution

Update AD FS

Claims RulesSlide65

Outlook 2016 works, Outlook 2013 does not

EnvironmentFederatedOutlook 2013/2016ProblemChange passwordOutlook 2016 works

Outlook 2013 do not connect – shows empty windowSlide66

Outlook 2016 works, Outlook 2013 does not

User

Outlook

EXO

(open a link)

Open MBX(no token)

401: need token from [

authURL

]

GET [on-

prem

authURL

] / 200: (show login page)

(browser Control)

(enter username)

(verify

username/password)

Open MBX(access token)

200: (return access/refresh token)

302: (go to on-

prem

STS [

authURL

])

(enter Username/password)

302: (go to

EvoSTS

, with SAML token)

POST [SAML Token]

GET [

authURL

] / 200: (show login page)

(cache refresh token)

EvoSTS

trust

AD FS

federationSlide67

Outlook 2016 works, Outlook 2013 does not

EnvironmentFederatedOutlook 2013Outlook 2016ResolutionUpdate ADAL.dll (orgidcrl.msp) – KB Article:

3085565Slide68

Outlook 2013 keeps prompting

EnvironmentFederatedOutlook 2013 ProblemIt is working with New Windows Profile – Modern

Auth

is working

Existing Windows Profiles – password prompts

etc

Did NOT want to recreate all Windows Profiles for the userSlide69

Outlook 2013 keeps prompting

TCOTrace

2016/09/22 13:40:37:962::[6620]

IdentityLiblet:TryToEnableADAL

not enabling ADAL

2016/09/22 13:40:37:962::[6620]

IdentityLiblet

: not enabled due to

UseOnlineContent

setting

2016/09/22 13:40:37:962::[6620]

IdentityManager

: skipping

OfflineInit

because

liblet

is disabledSlide70

Outlook 2013 keeps prompting

EnvironmentFederatedOutlook 2013 SolutionUseOnlineConent was set 0, change to other value

https://technet.microsoft.com/en-us/library/jj683102.aspx

Slide71

Tools

http://aka.ms/icesdptool Slide72

The SDP collects:

Windows Step Recorder (.mht)Fiddler Trace (.saz)Event Trace Logs (.etl

)

Registry Dump, Before and After (.

reg

)

Windows

CredManager

Cache (.txt)Slide73

Tools -

SaRA

https://diagnostics.outlook.com/#/Slide74

Tools -

SaRASlide75

Tools – TestConnectivity

https://testconnectivity.microsoft.com/Slide76

Troubleshooting Modern Auth Scenario

Office Configuration Analyzer – “offcat”Office Sign-in Assistant

Test Connectivity Scenarios

Office 365 Client Performance AnalyzerSlide77

Troubleshooting Modern Auth Scenario

Make sure client is updatedMake sure AD FS / 3rd party is updatedCheck EnableADAL

registry key

Make sure your Tenant is enabled

Use the workflow to narrow it downSlide78

Summary : Session Objectives

Technical deep diveBroader understanding of the processNarrowing down the issue fasterTroubleshootingSlide79

Deploy, ramp-up on new services and onboard new users with Microsoft FastTrack:

http://fasttrack.microsoft.com/ Slide80

Join the Microsoft Tech Community to collaborate, share, and learn

from the experts:http://techcommunity.microsoft.com Slide81

From your PC or Tablet visit MyIgnite at

http://myignite.microsoft.com

From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting

https://aka.ms/ignite.mobileapp

Please evaluate this session

Your feedback is important to us!Slide82