question

AK2766 avatar image
1 Vote"
AK2766 asked AK2766 commented

Web Sign In when domain is SAML Federated has stopped working!

We've been using Web Sign In for our Azure AD Joined laptops for a while now and it was working blissfully. Users did not need to enter passwords for all services related to Office365. The world was good. However, since Friday, all we are now getting is the error message (see attached screenshot):


You'll need the Internet for this.

It doesn't look like you're connected to the Internet. Check your connection and try again.



The odd thing about this is that the laptop is definitely connected to the Internet as the SAML bits are working - i.e. I'm redirected to our IdP where I complete the SAML authentication, but at the point where I'd ordinarily see the desktop, I instead get the error message described above. Someone on Reddit posted something similar where they are using Google as their IdP just 10 days ago. However, they stated they were able to resolve the issue - I was unable to get my environment working using their fix/workaround.

In addition, when I look at sign-in logs in Azure Portal, I see the following for my failed login:


 Authentication requirement:   Single-factor authentication
 Status:                       Failure
 Continuous access evaluation: No
 Sign-in error code:           130506
 Failure reason:               Access Pass must be used for Web Sign In. Contact your admin to get an Access Pass.


I've seen mention elsewhere on the Internet about configuring Temporary Access Pass (TAP). I was able to get that configured and was then able to login to the desktop. However, our SAML federation allows us to use our Passwordless solution which is now broken. Using a TAP is counter intuitive as that can be considered a password, no?

What do we need to do to get this working again?

176185-selection-00510.png







azure-ad-single-sign-on
selection-00510.png (19.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CoreyRoberts20 avatar image CoreyRoberts20 ·

I am having the exact same issue. We are using web sign-in as a backup option for our users to unlock their laptops if other methods are unavailable. It is also used the first time a user logins after autopilot completes the device configuration. Any guidance would be much appreciated.

0 Votes 0 ·

2 Answers

Christian-2339 avatar image
0 Votes"
Christian-2339 answered

Hello, same problem here... any solution ?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered AK2766 commented

@AK2766 @Christian-2339 @CoreyRoberts20

If the setup was working previously, I am assuming that there was no configurational issues that led to this issue.
The only thing to check at this point is to make sure that the TAP is still valid.

If you can confirm that TAP is valid and the users still see the error, it is important to check if they are able to use TAP for office 365 service. If yes, and then I can take this offline and investigate further.

Please reach out to me at azcommunity@microsoft.com with subject "Atten-Vipul" and I will sync up with you further.

Here is the setup which is required for this just in case anyone wants to go through it : https://www.petervanderwoude.nl/post/enabling-web-sign-in-to-windows-for-usage-with-temporary-access-pass/

Hope it helps.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AK2766 avatar image AK2766 ·

Hi @vipulsparsh-MSFT

The problem is not that TAP isn't working, the problem is that previously we did not require it and now that it appears to be forced on anyone using Web Sign In, the question is rather "What can be done to not have to use TAP for a SAML Federated domain?" We've been using Web Sign In within our SAML Federated domain without the need to use TAP.

This new requirement to have TAP is what has broken it for us. Adding TAP is akin to going back to passwords. I mean, what's the point of TAP in a SAML Federated domain where the 3rd party IdP has already verified who you are? If you have the time, I can demo so you get a better picture of what is causing us grief!

0 Votes 0 ·
AK2766 avatar image AK2766 ·

Before I forget, thanks for helping @vipulsparsh-MSFT

After going to Peter's site, I notice the method he used to configure Web Sign In is completely different to how I configured mine about a year ago. I had to go about entering 3 OMA-URI's. So then I went back to check how configured mine. When I initially configured Web Sign In, I followed these instructions:
https://www.linkedin.com/pulse/how-enable-web-sign-windows-10-shashank-gupta

Interestingly, if one was to try and follow those instructions today (week of 2022-02-28-2022-03-06), you will not be able to. Just 2 weeks ago I could still follow those instructions but would end up in the weird No Internet situation. So, could this be the source of my issues?

Cheers,
ak.

0 Votes 0 ·
AK2766 avatar image AK2766 AK2766 ·

Let me clarify one point from my last comment.

Interestingly, if one was to try and follow those instructions today (week of 2022-02-28-2022-03-06), you will not be able to.

Well, you CAN create such a profile, but you cannot go back and change anything in it as clicking the Properties of that profile now results in a blank page.

0 Votes 0 ·