password changes with ADFS or Seamless SSO (Office 365)

This has been my experience with Seamless Single Sign-On the newly available feature that I am pairing with the equally new Pass Through Authentication (PTA) in my lab....

the experience:
1. Outlook Pro Plus is initially setup
2. The user is prompted by Outlook to save the credentials and user clicks "yes" (this probably reflects the saving of the creds to credential manager)
3. A user's password changes
4. Outlook continues to operate with no password prompt (from the existing ticket/token I am presuming)...
5. The user reboots and logs in to Windows with new password.
6. Outlook continues to operate until suddenly a password prompt!

Is this your experience with Seamless SSO and PTA?
Is this your experience with ADFS?
K BAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
That has not been my experience. However note a couple of things.  Windows 10 hybrid Azure AD join model interferes with seamless SSO. Don't try to use both on the same machine. It can really confuse the kerb ticket process. If using GPO to enable seamless SSO, use filtering to not enable it on hybrid joined machines.

Also note that Seamless SSO relies on integrated authentication with kerberos. Which generally means you need to have the referring site added to the intranet zone. Again most easily done using GPO.

And finally, make sure Outlook and ezchange online are both configured for modern Auth.  Older tenants in particular I've found have modern Auth disabled on the tenant side. Which makes the challenge response process break down.
K BAuthor Commented:
Thanks, Cliff!

Yes Modern Auth is enabled
Seamless works perfect in the browser as I have the 2 URLs in Intranet Zone and the one setting changed.
We aren't doing Azure AD join

So you have no password prompts via Outlook?  I suppose credential manager is updated?
Cliff GaliherCommented:
Credential manager is itself a fallback condition. When seamless SSO is working right, it never comes into play.

Id want to follow the kerb Eros ticket path to troubleshoot further.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

K BAuthor Commented:
hmm I tried a KLIST Purge and that may have fixed it.. but I don't know if this was a one-off or not.  I think I need to continue to test.. this was a migrated user from on prem to cloud.

I changed password and rebooted.. outlook had no prompt.. I then deleted all in credential manager and reopened outlook.. no prompt.
hmm... Interesting
K BAuthor Commented:
Nope I changed it again.. and prompts again.
K BAuthor Commented:
ugh user had no license.. let me try again with a license :-)
K BAuthor Commented:
Just not working for Outlook after a password change...

I see with KLIST the Kerberos ticket that contains:
Server: HTTP/ @
Even after that ticket is in place I restart Outlook and it prompts for a password. I empty credential manager, still prompts.  I reboot

One of the troubleshooting steps for Seamless SSO reads like this:

List the existing Kerberos tickets on the device by using the klist command from a command prompt. Ensure that the tickets issued for the AZUREADSSOACCT computer account are present. Users' Kerberos tickets are typically valid for 10 hours. You might have different settings in Active Directory.

I think that ticket is what I posted above.. not sure.

Any ideas?  How would you chase down the Kerberos issue?
K BAuthor Commented:
What I have noticed...

1. If user's password is changed and
       a. there has yet to be a password prompt in Outlook
       b. there has been a password prompt in Outlook
2. User reboots
3. if there has already been a password prompt (takes about 5 minutes), it will persist until entered - regardless of another reboot.
4. if there has yet to be a password prompt, and a reboot is initiated- no password is required (new password is used at windows login) ----EDIT
5. the Kerberos ticket seen with KLIST is only present after a web-based login like OWA (which is odd, as modern auth is enabled and the password prompt in Outlook is supposed to be web-based, right?)
K BAuthor Commented:
EDIT above^
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.