Tom Batcheler Jonas Gunnemo Sr Product Marketing Manager Sr Escalation Engineer BRK3215 Modern Authentication amp ADAL Modern Authentication OAuth Based Auth for Office Clients against Office365 ID: 684239
Download Presentation The PPT/PDF document "Modern Auth – How It Works and What ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Modern Auth – How It Works and What To Do When It Doesn’t!
Tom Batcheler Jonas GunnemoSr. Product Marketing Manager Sr. Escalation Engineer
BRK3215Slide2
Modern Authentication & ADALSlide3
Modern Authentication
OAuth Based Auth for Office Clients against Office365EnablesNo more basic auth for Outlook!Multi-factor authentication
Support for third party
STSes
Conditional access
Supported across platforms:
iOS, OS X, Android, WindowsSlide4
Modern Authentication
HistoryTwitter, Ma.gnolia, Google“Secure delegated access" OAuth is an open standardAuth
2.0 2012
Why Enterprises like it?
Authenticated against own environment
No Password Slide5
Modern Authentication
Client Support
Windows
Mac OS X
Windows Phone
iOS
Android
Office Clients
(2013 & 2016)
(Office 2016 Mac Preview supports ADAL including Word, Excel, PowerPoint and OneNote)
(Available for Phones. Tablets coming soon)
Skype for Business
(In Preview)
⌛
Coming soon
(Not recommended for split domain configuration with Skype for Business Online and Skype for Business Server)
(Not recommended for split domain configuration with Skype for Business Online and Skype for Business Server)
Outlook
⌛
Coming soon
OneDrive for Business
⌛
Coming soon
Legacy clients
There are no plans for
Office 2010
or
Office 2007
to support ADAL-based authentication.
There are no plans for Office for Mac 2011 to support ADAL-based authentication.
There are no plans for Office on Windows Phone 7 to support ADAL-based authentication.
There are no plans to enable older Outlook iOS clients.
There are no plans to enable older Outlook Android clients.Slide6
Modern Authentication - Microsoft
Microsoft Office 2013Version:MSIC2RUpdatesOutlook , Word, Excel, PowerPoint, etc.
ADAL.dll (orgidcrl.msp)
MSI, C2R
Office 2016
Versions:
MSI
C2R
Channels:
CC, FRDC, DC
Testing:
Rings
https://blogs.technet.microsoft.com/office_sustained_engineering/Slide7
Microsoft Office 2013 - Updates
History<2007Cumulative Updates (CU) Release cadence: Feb, April, June, Aug, Oct, DecAvailability: Download Center and Microsoft Catalog
Public Updates (PU)
Security Updates
Availability:
Microsoft Update, Download Center and Microsoft Catalog
Today
Public Updates
Release cadence: Every Month
Security Updates - Patch Tuesday
Availability:
Microsoft Update, Download Center and Microsoft Catalog
MSI, C2R
Non-security Updates - 1
st
Tuesday of the Month
Availability: Download Center and Microsoft CatalogMSI
https://blogs.technet.microsoft.com/office_sustained_engineering/Slide8
Microsoft Office 2016 - Updates
MSIWhat: Public Updates Release cadence: Every Month When: Patch Tuesday What: Non-security Updates
Release cadence: Every Month
When: 1
st
Tuesday of the Month
C2R
Update versions:
Current Channel
First Release Deferred Channel
Deferred Channel
Testing:
RingsSlide9
Microsoft Office 2016 - Rings
Our rollout planDeveloper/Feature TeamTeam(s)MicrosoftInsidersCustomersSlide10
Microsoft Office 2016 - Rings
Our role out planDeveloperTeam(s)MicrosoftInsidersCustomersSlide11
Microsoft Office 2016 - Rings
Our role out planDeveloperTeam(s)MicrosoftInsidersCustomersSlide12
Modern Authentication - Microsoft
Microsoft Office 2013Version:MSIC2RUpdatesOutlook , Word, Excel, PowerPoint, etc.
ADAL.dll (orgidcrl.msp)
MSI, C2R
Office 2016
Versions:
MSI
C2R
Channels:
CC, FRDC, DC
Testing:
Rings
https://blogs.technet.microsoft.com/office_sustained_engineering/Slide13
Exchange Online
Authority
Identity Provider
(AD FS or other)
Directory
On Premises
SAML
Token
Access and
Refresh
Tokens
Windows Azure Active Directory
Identity Provider (
EvoSTS
)
Directory
MSO
Authentication stack
HTTP transport stack
ADAL
Web Browser
Lync Online
SharePoint Online
Access
Token
Password Prompt in Outlook – what caused it?Slide14
Stockholm – Frankfurt - AtlantaSlide15
Modern AuthenticationSlide16
Modern
Auth
(Federated Identities)
User
Outlook
SPO/EXO
(open a link)
Open MBX(no token)
401: need token from [
authURL
]
EvoSTS
trust
AD FS
federationSlide17
Tokens
Airline Ticket
Boarding PassSlide18
Tokens
Refresh TokenUPN specificLonger livedValid for 14 days - up to 90dStored in Credential Store:
MicrosoftOffice16_Data:ADAL:<GUID>
Access Token (Bearer)
Specific resource
Short lived
Valid 1 hour
Stored in registry:
HKEY_CURRENT_USER\Software\Microsoft\
Office\version\Common\Identity\Identities\
<GUID>_ADALSlide19
Tokens
Refresh TokenUPN specificLonger livedValid for 14 days - up to 90dStored in Credential Store:
MicrosoftOffice16_Data:ADAL:<GUID>
Access Token (Bearer)
Specific resource
Short lived
Valid 1 hour
Stored in registry:
HKEY_CURRENT_USER\Software\Microsoft\
Office\version\Common\Identity\Identities\
<GUID>_ADALSlide20
Tokens
Refresh TokenUPN specificLonger livedValid for 14 days - up to 90dStored in Credential Store:
MicrosoftOffice16_Data:ADAL:<GUID>
Access Token (Bearer)
Specific resource
Short lived
Valid 1 hour
Stored in registry:
HKEY_CURRENT_USER\Software\Microsoft\
Office\version\Common\Identity\Identities\
<GUID>_ADALSlide21
Tokens
Refresh TokenUPN-specificLonger livedValid for 14 days - up to 90dStored in Credential Store:
MicrosoftOffice16_Data:ADAL:<GUID>
Access Token (Bearer)
Specific resource
Short lived
Valid 1 hour
Stored in registry:
HKEY_CURRENT_USER\Software\Microsoft\
Office\version\Common\Identity\Identities\
<GUID>_ADAL
User credentials/passwords are never cached! We only store tokens.Slide22
User experience
Users prompted more often?When the refresh token is no longer validAdmin policies can result in users needing to sign-in againSlide23
Modern auth (Federated Identities)
User
Outlook
EXO
EvoSTS
trust
AD FS
federationSlide24
Azure AD federation compatibility list
aka.ms/SSOProvidersAzure Active DirectoryOptimal IDM Virtual Identity Server Federation Services
PingFederate
6.11
PingFederate
7.2
PingFederate
8.x
Centrify
IBM Tivoli Federated Identity Manager 6.2.2 SecureAuth
IdP
7.2.0
CA SiteMinder 12.52 RadiantOne CFS 3.0
Okta
OneLogin
NetIQ Access Manager 4.0.1
BIG-IP with Access Policy Manager BIG-IP ver. 11.3x – 11.6x
VMware Workspace Portal version 2.1
Sign&go
5.3
IceWall
Federation Version 3.0
CA Secure Cloud
Dell One Identity Cloud Access Manager v7.1
AuthAnvil
Single Sign On 4.5
Slide25
Multifactor Authentication?
User
Outlook
EXO
(open a link)
Open MBX(no token)
401: need token from [
authURL
]
GET [on-
prem
authURL
] / 200: (show login page)
(browser Control)
(enter username)
(verify
username/password)
Open MBX(access token)
200: (return access/refresh token)
302: (go to on-
prem
STS [
authURL
])
(enter Username/password)
302: (go to
EvoSTS
, with SAML token)
POST [SAML Token]
GET [
authURL
] / 200: (show login page)
(cache refresh token)
EvoSTS
trust
AD FS
federationSlide26
Multifactor Authentication
User experienceFrequencySign-inFactors; knows, has and is
Office 365 experience
Phone
TimeSlide27
EvoSTS
manages
MFA process
Windows Azure Active Directory
Identity Provider (
EvoSTS
)
Directory
Multi-Factor AuthenticationSlide28
Modern auth (Federated Identities)
User
Outlook
EXO
(open a link)
Open MBX(no token)
401: need token from [
authURL
]
GET [on-
prem
authURL
] / 200: (show login page)
(browser Control)
(enter username)
(verify
username/password)
Open MBX(access token)
200: (return access/refresh token)
302: (go to on-
prem
STS [
authURL
])
(enter Username/password)
302: (go to
EvoSTS
, with SAML token)
POST [SAML Token]
GET [
authURL
] / 200: (show login page)
(cache refresh token)
EvoSTS
trust
AD FS
federationSlide29
Initial Connection
POST https://outlook.office365.com/mapi/emsmdb/?MailboxId=agd3482b1-d18e-4cae-952b-5ad875ase3e3bd@contoso.com HTTP/1.1
Content-Type: application/
mapi
-http
Accept:
application/
mapi
-http
Authorization: Bearer
User-Agent: Microsoft Office/15.0 (Windows NT 6.3; Microsoft Outlook 15.0.4783; Pro)
Client-Request-Id:
{
5A866872-7E74-440E-88C9-48D30A6DBB41
}
X-
ClientApplication
: Outlook/15.0.4783.1000
X-User-Identity:
john.doe@contoso.com
X-
RequestId
: {8E871543-8042-420E-95F2-F170DF1D6E62}:1
X-
RequestType
: Connect
Host: outlook.office365.comSlide30
Initial Connection
POST https://outlook.office365.com/mapi/emsmdb/?MailboxId=agd3482b1-d18e-4cae-952b-5ad875ase3e3bd@contoso.com HTTP/1.1
Content-Type: application/
mapi
-http
Accept:
application/
mapi
-http
Authorization: Bearer
User-Agent: Microsoft Office/15.0 (Windows NT 6.3; Microsoft Outlook 15.0.4783; Pro)
Client-Request-Id:
{
5A866872-7E74-440E-88C9-48D30A6DBB41
}
X-
ClientApplication
: Outlook/15.0.4783.1000
X-User-Identity:
john.doe@contoso.comb
X-
RequestId
: {8E871543-8042-420E-95F2-F170DF1D6E62}:1
X-
RequestType
: Connect
Host: outlook.office365.comSlide31
Initial Connection
POST https://outlook.office365.com/mapi/emsmdb/?MailboxId=agd3482b1-d18e-4cae-952b-5ad875ase3e3bd@contoso.com HTTP/1.1
Content-Type: application/
mapi
-http
Accept:
application/
mapi
-http
Authorization: Bearer
User-Agent: Microsoft Office/15.0 (Windows NT 6.3; Microsoft Outlook 15.0.4783; Pro)
Client-Request-Id:
{
5A866872-7E74-440E-88C9-48D30A6DBB41
}
X-
ClientApplication
: Outlook/15.0.4783.1000
X-User-Identity:
john.doe@contoso.com
X-
RequestId
: {8E871543-8042-420E-95F2-F170DF1D6E62}:1
X-
RequestType
: Connect
Host: outlook.office365.comSlide32
Initial Response
HTTP/1.1 401 Unauthorized
request-id: f910d760-5a2f-4457-bade-5671824e8576
X-
CalculatedBETarget
: DM2PR06MB848.namprd06.prod.outlook.com
X-
BackEndHttpStatus
: 401
X-
RequestId
: {8E871543-8042-420E-95F2-F170DF1D6E62}:1
X-
DiagInfo
: DM2PR06CA9994
X-
BEServer
: DM2PR06CA9994
X-
FEServer
: SN2PR80CA033
WWW-Authenticate: Bearer
client_id
="00000002-0000-0ff1-ce00-000000000000",
trusted_issuers
="00000001-0000-0000-c000-000000000000@*",
token_types
="app_asserted_user_v1 service_asserted_app_v1",
authorization_uri
="https://login.windows.net/common/oauth2/
authorize",Basic
Realm="",Basic Realm=""Slide33
Modern auth (Federated Identities)
User
Outlook
EXO
(open a link)
Open MBX(no token)
401: need token from [
authURL
]
GET [on-
prem
authURL
] / 200: (show login page)
(browser Control)
(enter username)
(verify
username/password)
Open MBX(access token)
200: (return access/refresh token)
302: (go to on-
prem
STS [
authURL
])
(enter Username/password)
302: (go to
EvoSTS
, with SAML token)
POST [SAML Token]
GET [
authURL
] / 200: (show login page)
(cache refresh token)
EvoSTS
trust
AD FS
federationSlide34
ADFS Response
HTTP/1.1 200 OKConnection: Keep-AliveContent-Length: 16056Expires: -1
Date: Wed, 20 Apr 2016 14:27:56 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0
Cache-Control: no-
cache,no
-store
Pragma: no-cache
x-frame-options: DENY
<!DOCTYPE html>
<html
lang
="
en
-US">
< …
ADFS Forms Based
Auth
page code
…>
</html>Slide35
EvoSTS returns tokens
HTTP/1.1 200 OKContent-Type: application/json; charset=utf-8
x-
ms
-request-id: 6244ce53-096a-48e3-9a61-b3d517d7625b
client-request-id: ae8dab57-535b-4ab3-b2d7-b4c17180d9fe
{"token_type":"Bearer","scope":"
user_impersonation
Contacts.ReadWrite
Calendars.ReadWrite
Mail.Send Mail.ReadWrite Group.ReadWrite.All
Files.ReadWrite.All","
expires_in":"3600
","
expires_on":"1463515539","not_before":"1463511639","resource":"https://outlook.office365.com/","access_token":"eyJ0eXAi…","refresh_token":"AAABAAAAiL9K…"Slide36
Access granted
HTTP/1.1 200 OKContent-Type: application/mapi-http
request-id: 7d8640e6-9d97-4013-b98e-b1eb6448bbf5
X-
BackEndHttpStatus
: 200
Set-Cookie:
MapiRouting
=UlVNOjcwNmVkN2NkLTc1MjMtNDIxMS1hYTk2LTdlNWQ3YjBjODI3MDqkiig+hn7TCA==; path=/
mapi
/; secure;
HttpOnly
Set-Cookie:
MapiContext
=
MAPIAAAAAOer
/q78zfW4+sr+zvrZ69vq3PHB9Nno3//P+ML3xvzN+KKBs4KwiLGHvoa2gagOAAAAAAAA; path=/mapi
/
emsmdb
; secure;
HttpOnly
Set-Cookie:
MapiSequence
=0-UO0MYQ==; path=/
mapi
/
emsmdb
; secure;
HttpOnly
X-
RequestType
: ConnectSlide37
Frankfurt - AtlantaSlide38
Existing Refresh TokenSlide39
Access/refresh token exchange
User
Outlook
EXO
EvoSTS
Access MBX
(w/expired Access Token)
401: Access Token invalid [
AuthURL
]
(request new Access Token with Refresh Token)
Open MBX(access token)
200: return MBX
200: return new access token
POST https://outlook.office365.com/mapi/emsmdb/?MailboxId=91158760-975b-4018-a0cb-cb562919d98e@contoso.onmicrosoft.com HTTP/1.1
Content-Type: application/
mapi
-http
Accept: application/
mapi
-http
Authorization: Bearer eyJ0eXAi…Slide40
Access/refresh token exchange
User
Outlook
EXO
EvoSTS
Access Document
(w/expired Access Token)
401: Access Token invalid [
AuthURL
]
(request new Access Token with Refresh Token)
Open MBX(access token)
200: return doc
200: return new access tokenSlide41
Administrator Options
Client access filteringAD FS feature, inspects headersLimited set of tools for controlling accessCannot inspect OAuth traffic
Conditional Access Policies
Must use Modern Authentication
Granular and relevant access control
Control based on a broad range of factors
Office365Slide42
Access/refresh token exchange
User
Outlook
EXO
EvoSTS
Access Document
(w/expired Access Token)
401: Access Token invalid [
AuthURL
]
(request new Access Token with Refresh Token)
Open MBX(access token)
200: return doc
200: return new access tokenSlide43
Customer Scenarios
Modern Auth
Not working
Outlook Disconnected at Startup
Outlook 2016 works, 2010 does not
Outlook 2016 works, 2013 does not
Outlook 2013 keeps promptingSlide44
Modern Auth Not working
EnvironmentFederatedOutlook 2013Outlook 2016Problem
Outlook is not using Modern AuthenticationSlide45
Modern
Auth
Not working
User
Outlook
EXO
(open a link)
Open MBX(no token)
401: need token from [
authURL
]
GET [on-
prem
authURL
] / 200: (show login page)
(browser Control)
(enter username)
(verify
username/password)
Open MBX(access token)
200: (return access/refresh token)
302: (go to on-
prem
STS [
authURL
])
(enter Username/password)
302: (go to
EvoSTS
, with SAML token)
POST [SAML Token]
GET [
authURL
] / 200: (show login page)
(cache refresh token)
EvoSTS
trust
AD FS
federationSlide46
Modern Auth Not working
StepsVersion – 2013/2016UpdatesHKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\
Dword
:
EnableADAL
0 / 1
http://aka.ms/offcatSlide47
Modern Modern Auth Not working
StepsTenant enabled?Get-OrganizationConfig |
ft
name, *OAuth*
OAuth2ClientProfileEnabled True/False
http://aka.ms/ExoModernAuth
https://aka.ms/SkypePowerShell
Slide48
Modern Authentication does not work
4000000;reason="
Flighting
is not enabled for domain ‘john.doe@contoso.com'.";
error_category
="
oauth_not_available
“
Latest:
ADALIdentity
::
IsADALDisabledViaExchangeFlighting
returning trueSlide49
Outlook Modern Auth Not working
EnvironmentFederatedOutlook 2013/2016 clientsResolution
Enable tenantSlide50
Outlook Disconnected at Startup
EnvironmentFederated, mailboxes in Office365Outlook 2013100k usersProblem
Starting Outlook, goes into Disconnect
Temp solution, log out / log in from WordSlide51
Outlook Disconnected at Startup
User
Outlook
EXO
(open a link)
Open MBX(no token)
401: need token from [
authURL
]
GET [on-
prem
authURL
] / 200: (show login page)
(browser Control)
(enter username)
(verify
username/password)
Open MBX(access token)
200: (return access/refresh token)
302: (go to on-
prem
STS [
authURL
])
(enter Username/password)
302: (go to
EvoSTS
, with SAML token)
POST [SAML Token]
GET [
authURL
] / 200: (show login page)
(cache refresh token)
EvoSTS
trust
AD FS
federationSlide52
Outlook Disconnected at Startup
User
Outlook
EXO
EvoSTS
Access Document
(w/expired Access Token)
401: Access Token invalid [
AuthURL
]
(request new Access Token with Refresh Token)
200: return new access tokenSlide53
Outlook Disconnected at Startup
FiddlerOutlook loggingMSO Logging[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Debug]"TCOTrace"=dword:00000001%Temp% =>
Outlook.exe.logSlide54
Outlook Disconnected at Startup – TCO Log
016/01/06 12:21:50:104::[14992] ADAL: message='', additionalInformation='Token response is not successful. Status:400 ResponseText:{"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. AADSTS70008: The provided access grant is expired or revoked.\r\
nTrace
ID: 81d398ce-4408-4934-9469-20c738b8cfb6\r\
nCorrelation
ID: d8ca709d-cc95-44f1-b6b2-3a23e2979823\r\
nTimestamp
: 2016-01-06 11:21:51Z","error_codes":[70002,70008],"timestamp":"2016-01-06 11:21:51Z","trace_id":"81d398ce-4408-4934-9469-20c738b8cfb6","correlation_id":"d8ca709d-cc95-44f1-b6b2-3a23e2979823"} Authority: https://login.windows.net/commonClient ID: d3590ed6-52b3-4102-aeff-aad2292ab01cRedirect URI: urn:ietf:wg:oauth:2.0:oobLogin:
john.doe@contoso.comResource
: https://officeapps.live.comCorrelation ID (request): ',
errorCode
='0x00000000'
2016/01/06 12:21:50:104::[14992] ADAL: message='', additionalInformation
='
Webrequest
returns error code:
invalid_grant and error description:AADSTS70002: Error validating credentials. AADSTS70008: The provided access grant is expired or revoked.Slide55
Outlook Disconnected at Startup
User
Outlook
EXO
EvoSTS
Access Document
(w/expired Access Token)
401: Access Token invalid [
AuthURL
]
(request new Access Token with Refresh Token)
Open MBX(access token)
200: return doc
200: return new access tokenSlide56
Outlook Disconnected at Startup
EnvironmentFederated, mailboxes in Office365Outlook 20133rd party SSO provider
Solution
Update MSO.dll Slide57
Outlook Disconnected at Startup - Bonus
EnvironmentFederated, mailboxes in Office365Outlook 2010/2013/2016100k usersProblem
Change Password, Starting Outlook, goes into DisconnectSlide58
Outlook Disconnected at Startup - Bonus
Exchange Online
User Authentication
Windows Azure Active Directory
Identity Provider (
OrgID
)
Directory
Compact
Token
Authority
Identity Provider
(AD FS or other)
Directory
On Premises
SAML
TokenSlide59
Outlook Disconnected at Startup - Bonus
EnvironmentFederated, mailboxes in Office365Outlook 2010/2013/2016100k usersResolution
Update AD FS Servers, 3
rd
Party to latest updateSlide60
Outlook 2016 works, Outlook 2010 does not
EnvironmentPOC, Federated Outlook 2010Outlook 201640 000 users
Problem
Can’t open O365 Calendars after password changeSlide61
Outlook 2016 works, Outlook 2010 does not
EnvironmentPOC, Federated Outlook 2010Outlook 201640 000 usersProblem
Can’t create Outlook 2010 profiles
Can create Outlook 2016 profiles
Can’t create Outlook 2016 profile if disable Modern Authentication
(
EnableADAL
= 0) - HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\Slide62
Outlook 2016 works, Outlook 2010 does not
Exchange Online
User Authentication
Windows Azure Active Directory
Identity Provider (
OrgID
)
Directory
Compact
Token
Authority
Identity Provider
(AD FS or other)
Directory
On Premises
SAML
TokenSlide63
Exchange Online
Authority
Identity Provider
(AD FS or other)
Directory
On Premises
SAML
Token
Access and
Refresh
Tokens
Windows Azure Active Directory
Identity Provider (
EvoSTS
)
Directory
MSO
Authentication stack
HTTP transport stack
ADAL
Web Browser
Lync Online
SharePoint Online
Access
Token
Outlook 2016 works, Outlook 2010 does notSlide64
Outlook 2016 works, Outlook 2010 does not
EnvironmentPOC, Federated Outlook 2010Outlook 201640 000 usersResolution
Update AD FS
Claims RulesSlide65
Outlook 2016 works, Outlook 2013 does not
EnvironmentFederatedOutlook 2013/2016ProblemChange passwordOutlook 2016 works
Outlook 2013 do not connect – shows empty windowSlide66
Outlook 2016 works, Outlook 2013 does not
User
Outlook
EXO
(open a link)
Open MBX(no token)
401: need token from [
authURL
]
GET [on-
prem
authURL
] / 200: (show login page)
(browser Control)
(enter username)
(verify
username/password)
Open MBX(access token)
200: (return access/refresh token)
302: (go to on-
prem
STS [
authURL
])
(enter Username/password)
302: (go to
EvoSTS
, with SAML token)
POST [SAML Token]
GET [
authURL
] / 200: (show login page)
(cache refresh token)
EvoSTS
trust
AD FS
federationSlide67
Outlook 2016 works, Outlook 2013 does not
EnvironmentFederatedOutlook 2013Outlook 2016ResolutionUpdate ADAL.dll (orgidcrl.msp) – KB Article:
3085565Slide68
Outlook 2013 keeps prompting
EnvironmentFederatedOutlook 2013 ProblemIt is working with New Windows Profile – Modern
Auth
is working
Existing Windows Profiles – password prompts
etc
Did NOT want to recreate all Windows Profiles for the userSlide69
Outlook 2013 keeps prompting
TCOTrace
2016/09/22 13:40:37:962::[6620]
IdentityLiblet:TryToEnableADAL
not enabling ADAL
2016/09/22 13:40:37:962::[6620]
IdentityLiblet
: not enabled due to
UseOnlineContent
setting
2016/09/22 13:40:37:962::[6620]
IdentityManager
: skipping
OfflineInit
because
liblet
is disabledSlide70
Outlook 2013 keeps prompting
EnvironmentFederatedOutlook 2013 SolutionUseOnlineConent was set 0, change to other value
https://technet.microsoft.com/en-us/library/jj683102.aspx
Slide71
Tools
http://aka.ms/icesdptool Slide72
The SDP collects:
Windows Step Recorder (.mht)Fiddler Trace (.saz)Event Trace Logs (.etl
)
Registry Dump, Before and After (.
reg
)
Windows
CredManager
Cache (.txt)Slide73
Tools -
SaRA
https://diagnostics.outlook.com/#/Slide74
Tools -
SaRASlide75
Tools – TestConnectivity
https://testconnectivity.microsoft.com/Slide76
Troubleshooting Modern Auth Scenario
Office Configuration Analyzer – “offcat”Office Sign-in Assistant
Test Connectivity Scenarios
Office 365 Client Performance AnalyzerSlide77
Troubleshooting Modern Auth Scenario
Make sure client is updatedMake sure AD FS / 3rd party is updatedCheck EnableADAL
registry key
Make sure your Tenant is enabled
Use the workflow to narrow it downSlide78
Summary : Session Objectives
Technical deep diveBroader understanding of the processNarrowing down the issue fasterTroubleshootingSlide79
Deploy, ramp-up on new services and onboard new users with Microsoft FastTrack:
http://fasttrack.microsoft.com/ Slide80
Join the Microsoft Tech Community to collaborate, share, and learn
from the experts:http://techcommunity.microsoft.com Slide81
From your PC or Tablet visit MyIgnite at
http://myignite.microsoft.com
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting
https://aka.ms/ignite.mobileapp
Please evaluate this session
Your feedback is important to us!Slide82