question

ayaseen avatar image
0 Votes"
ayaseen asked piaudonn commented

ADFS Login Issue from Outlook Desktop App in Windows 11

Hello all,

I'm facing an unusual issue with several users that have upgraded to Windows 11.
I have HMA setup via ADFS for Exchange and it has been working fine. The issue with these specific users is that they're using Windows 11 and when they attempt to login via ADFS, they just get the same page again without any errors. If they enter a wrong password, they get an invalid credentials error accordingly. However, with the right password, there are no errors, the page just simply refreshes.
Both ADFS and Exchange are running on 2016.

Thank you.

office-exchange-server-administrationadfsazure-ad-hybrid-identity
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are there any error on the ADFS server side? Either in the AD FS Admin logs or the security logs (and as long as you have the AD FS auditing enabled).

Are the WIndows 10 users expected to see a FBA prompt? Is that working when they use Intergrated Authentication (so when they have a line of sight with a domain controller)?

Also, were there any recent change in the AD FS server, like expired or new certificates?

1 Vote 1 ·

On ADFS Security logs, there are no errors, it reports the authentication to be successful if the password entered is correct.

The impacted users do not have a line of sight to the DCs, they are authenticating from external network, ADFS WAP is implemented.

I've made quite a few changes to ADFS recently but those were before these users were impacted, these exact users had service functional after the changes but then seemingly randomly started to face this issue.

Thank you for your response, piaudonn.



0 Votes 0 ·

Maybe the problem started sooner but cached token prevented us from seeing it?

There is a simualr user experience when the Token Decrypting certificate is invalid. Any operation on that?

Also, wouldnt you expect clients to have SSO? And not be prompted in a webform? Or are they connected externally?

A Fiddler trace might help to get to the bottom of this.

0 Votes 0 ·

0 Answers