password changes with ADFS or Seamless SSO (Office 365)
This has been my experience with Seamless Single Sign-On the newly available feature that I am pairing with the equally new Pass Through Authentication (PTA) in my lab....
the experience:
1. Outlook Pro Plus is initially setup
2. The user is prompted by Outlook to save the credentials and user clicks "yes" (this probably reflects the saving of the creds to credential manager)
3. A user's password changes
4. Outlook continues to operate with no password prompt (from the existing ticket/token I am presuming)...
5. The user reboots and logs in to Windows with new password.
6. Outlook continues to operate until suddenly a password prompt!
Is this your experience with Seamless SSO and PTA?
Is this your experience with ADFS?
the experience:
1. Outlook Pro Plus is initially setup
2. The user is prompted by Outlook to save the credentials and user clicks "yes" (this probably reflects the saving of the creds to credential manager)
3. A user's password changes
4. Outlook continues to operate with no password prompt (from the existing ticket/token I am presuming)...
5. The user reboots and logs in to Windows with new password.
6. Outlook continues to operate until suddenly a password prompt!
Is this your experience with Seamless SSO and PTA?
Is this your experience with ADFS?
ASKER
Thanks, Cliff!
Yes Modern Auth is enabled
Seamless works perfect in the browser as I have the 2 URLs in Intranet Zone and the one setting changed.
We aren't doing Azure AD join
So you have no password prompts via Outlook? I suppose credential manager is updated?
Yes Modern Auth is enabled
Seamless works perfect in the browser as I have the 2 URLs in Intranet Zone and the one setting changed.
We aren't doing Azure AD join
So you have no password prompts via Outlook? I suppose credential manager is updated?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hmm I tried a KLIST Purge and that may have fixed it.. but I don't know if this was a one-off or not. I think I need to continue to test.. this was a migrated user from on prem to cloud.
I changed password and rebooted.. outlook had no prompt.. I then deleted all in credential manager and reopened outlook.. no prompt.
hmm... Interesting
I changed password and rebooted.. outlook had no prompt.. I then deleted all in credential manager and reopened outlook.. no prompt.
hmm... Interesting
ASKER
Nope I changed it again.. and prompts again.
ASKER
ugh user had no license.. let me try again with a license :-)
ASKER
Just not working for Outlook after a password change...
I see with KLIST the Kerberos ticket that contains:
Server: HTTP/aadg.windows.net.nsat
Even after that ticket is in place I restart Outlook and it prompts for a password. I empty credential manager, still prompts. I reboot
One of the troubleshooting steps for Seamless SSO reads like this:
I think that ticket is what I posted above.. not sure.
Any ideas? How would you chase down the Kerberos issue?
I see with KLIST the Kerberos ticket that contains:
Server: HTTP/aadg.windows.net.nsat
Even after that ticket is in place I restart Outlook and it prompts for a password. I empty credential manager, still prompts. I reboot
One of the troubleshooting steps for Seamless SSO reads like this:
List the existing Kerberos tickets on the device by using the klist command from a command prompt. Ensure that the tickets issued for the AZUREADSSOACCT computer account are present. Users' Kerberos tickets are typically valid for 10 hours. You might have different settings in Active Directory.
I think that ticket is what I posted above.. not sure.
Any ideas? How would you chase down the Kerberos issue?
ASKER
What I have noticed...
1. If user's password is changed and
a. there has yet to be a password prompt in Outlook
b. there has been a password prompt in Outlook
2. User reboots
3. if there has already been a password prompt (takes about 5 minutes), it will persist until entered - regardless of another reboot.
4. if there has yet to be a password prompt, and a reboot is initiated- no password is required (new password is used at windows login) ----EDIT
5. the Kerberos ticket seen with KLIST is only present after a web-based login like OWA (which is odd, as modern auth is enabled and the password prompt in Outlook is supposed to be web-based, right?)
1. If user's password is changed and
a. there has yet to be a password prompt in Outlook
b. there has been a password prompt in Outlook
2. User reboots
3. if there has already been a password prompt (takes about 5 minutes), it will persist until entered - regardless of another reboot.
4. if there has yet to be a password prompt, and a reboot is initiated- no password is required (new password is used at windows login) ----EDIT
5. the Kerberos ticket seen with KLIST is only present after a web-based login like OWA (which is odd, as modern auth is enabled and the password prompt in Outlook is supposed to be web-based, right?)
ASKER
EDIT above^
Also note that Seamless SSO relies on integrated authentication with kerberos. Which generally means you need to have the referring site added to the intranet zone. Again most easily done using GPO.
And finally, make sure Outlook and ezchange online are both configured for modern Auth. Older tenants in particular I've found have modern Auth disabled on the tenant side. Which makes the challenge response process break down.