question

FerzaRoep-6970 avatar image
0 Votes"
FerzaRoep-6970 asked AralelemathMaheshCognizant-1711 commented

Azure SSO not working - Azure support not responding to ticket either

Hello,

On prem DC. We set up Password Hash Sync and SSO, but my users are not being logged in automatically. When visiting myapps.microsoft.com/domain.com users are asked for email and password. In background, we are getting a 403 from https://autologon.microsoftazuread-sso.com/ and Kerberos authentication failed.

Encryption being used at the moment is RC4, we tried aes with key rollover, but issue persists.

Kerberos ticket are issued. We went through troubleshooting steps from official Microsoft docs, but still no good.

There are no log in attempts on azure from the users trying to take advantage of sso. It's as if the request is never passed on.

We opened a ticket with Azure, but it's been over 24 hours and still no response.


Can anyone raise our ticket so we get a response or maybe provide troubleshooting steps here ?

azure-active-directorywindows-active-directoryazure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AralelemathMaheshCognizant-1711 avatar image
0 Votes"
AralelemathMaheshCognizant-1711 answered AralelemathMaheshCognizant-1711 commented

Hi

Is login working when you enter UPN and password?

Pls refer the below to check seamless SSO pre requisites and configuration
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start


Regards
Mahesh

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I see two point approach here
1. Ensure Password hash is working. If its working then you should be able to login by providing id and password.
2. Check from system which is directly connected to internet and no other device/firewall etc. to ensure Password has auth is working.
3. If it is working and if problem is from corporate network then it could be due to traffic passing through proxy, firewall, deep inspection of packets etc. You need try to bypass proxy and allow direct access to all Azure URL listed in above article.


0 Votes 0 ·
FerzaRoep-6970 avatar image FerzaRoep-6970 AralelemathMaheshCognizant-1711 ·

No, it doesn't. I went through that and the troubleshooting steps.

0 Votes 0 ·
FerzaRoep-6970 avatar image FerzaRoep-6970 AralelemathMaheshCognizant-1711 ·
  1. Is working.

  2. Directly connected to internet, nothing in between.

  3. No corporate network, not passing through proxy, firewall or inspection...


0 Votes 0 ·

Dont see the matching answers for all 3 points. You may need to explain in detail with snapshot if possible.

0 Votes 0 ·

Hi, sure.

  1. Ensure Password hash is working. If its working then you should be able to login by providing id and password.
    Password hash is working. A user changes his password on a domain joined computer and 5-10minutes later, they can use that password to log in online. The old one stops working.

  2. Check from system which is directly connected to internet and no other device/firewall etc. to ensure Password has auth is working.

Going back to my answer from number 1. Password hash sync is working. It's connected to the internet directly, no other device is in between.

  1. If it is working and if problem is from corporate network then it could be due to traffic passing through proxy, firewall, deep inspection of packets etc. You need try to bypass proxy and allow direct access to all Azure URL listed in above article.

It's not passing through any of the above mentioned, no firewall, proxy, or deep inspection of packets...

Please let me know if you need more details. It's very strange to me.
I've:
Rolled over keys after changing encryption type, ensured intranet and correct gpo settings are applied, ensured sso is enabled via powershell, the computer account is there and not disabled. I don't know what else to check..


0 Votes 0 ·

Hi,
Referring back to the question and your responses to various checks, this looks to be seamless SSO issue.
This might require environment access and online analysis/log capture. Best way is to get through the MS support team.

However, pls recheck the seamless SSO configurations and domain name configured in seamless SSO.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

Ensure that https://autologon.microsoftazuread-sso.com is added to intranet zone.

If you are using Chrome browser on Windows 10 then it require Windows 10 extension to be added.

0 Votes 0 ·