Solved

OneDrive desktop authentication issue against on-premise AD FS 3.0  with Azure AD MFA

Posted on 2016-07-20
9
27 Views
Last Modified: 2016-07-29
After setting up MFA (Multi-Factor Authentication) on Office 365 in conjunction with Azure AD MFA I cannot get my users to authenticate.  Skype for Business and Outlook can authenticate just fine using app passwords, but for some reason I’m not aware of, OneDrive doesn’t like it the app password.  I can see in that my AD FS (Active Directory Federate Services) URL is being pulled into the forms based authentication pop up.  It doesn’t matter what form I try such as domain\username or username@domain.com or alias@domain.com with O365 app password or AD password.  I do NOT have an on-premise Exchange server.  Everything is on Server 2012 R2 and all my client machines are Windows 10.

Any ideas on how to resolve?
0
Comment
Question by:Nathan Vanderwyst
  • 5
  • 2
  • 2
9 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41721965
onedrive or onedrive 4 business, they are 2 entirely different animals. OneDrive uses your microsoft account, od4b uses your sharepoint account.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41722009
I am talking about OD4B, not the personal edition.  Please  help.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41722015
Can the user(s) access sharepoint successfully?
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41722017
yes
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41722050
Grab the next-gen client. No, it isn't built I to any release of windows, not even 10. It supports MFA natively (no need for app passwords) and troubleshooting is far more graceful.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41722102
What next-gen client?  OneDrive?  Where would I download this next-gen client?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41722115
https://support.office.com/en-us/article/Deploying-the-OneDrive-for-Business-Next-Generation-Sync-Client-in-an-enterprise-environment-3f3a511c-30c6-404a-98bf-76f95c519668

Note that while the article says if you are on Windows 10, you already have the new client, I have not found this to be the case. It may possibly be that the article as prematurely updated for the anniversary update, but the NGSC wasn't released when 1511 shipped and I haven't seen it in any CU.

I do believe it has been included in the latest C2R Office 2016 updates, but you mentioned app passwords, which are also not required in 2016, so I can only assume you aren't on those builds...
0
 

Accepted Solution

by:
Nathan Vanderwyst earned 0 total points
ID: 41726589
I turned off MFA, removed all app passwords, reset all passwords, enabled forms authentication in AD FS and now all is well.  Thank you for your responses.
0
 

Author Closing Comment

by:Nathan Vanderwyst
ID: 41734464
The responses I received were not helpful and did not provide any means to resolved.
0

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
how to add IIS SMTP to handle application/Scanner relays into office 365.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now