password changes with ADFS or Seamless SSO (Office 365)

This has been my experience with Seamless Single Sign-On the newly available feature that I am pairing with the equally new Pass Through Authentication (PTA) in my lab....

the experience:
1. Outlook Pro Plus is initially setup
2. The user is prompted by Outlook to save the credentials and user clicks "yes" (this probably reflects the saving of the creds to credential manager)
3. A user's password changes
4. Outlook continues to operate with no password prompt (from the existing ticket/token I am presuming)...
5. The user reboots and logs in to Windows with new password.
6. Outlook continues to operate until suddenly a password prompt!

Is this your experience with Seamless SSO and PTA?
Is this your experience with ADFS?
K BAsked:
Who is Participating?
Cliff GaliherCommented:
Credential manager is itself a fallback condition. When seamless SSO is working right, it never comes into play.

Id want to follow the kerb Eros ticket path to troubleshoot further.
Cliff GaliherCommented:
That has not been my experience. However note a couple of things.  Windows 10 hybrid Azure AD join model interferes with seamless SSO. Don't try to use both on the same machine. It can really confuse the kerb ticket process. If using GPO to enable seamless SSO, use filtering to not enable it on hybrid joined machines.

Also note that Seamless SSO relies on integrated authentication with kerberos. Which generally means you need to have the referring site added to the intranet zone. Again most easily done using GPO.

And finally, make sure Outlook and ezchange online are both configured for modern Auth.  Older tenants in particular I've found have modern Auth disabled on the tenant side. Which makes the challenge response process break down.
K BAuthor Commented:
Thanks, Cliff!

Yes Modern Auth is enabled
Seamless works perfect in the browser as I have the 2 URLs in Intranet Zone and the one setting changed.
We aren't doing Azure AD join

So you have no password prompts via Outlook?  I suppose credential manager is updated?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

K BAuthor Commented:
hmm I tried a KLIST Purge and that may have fixed it.. but I don't know if this was a one-off or not.  I think I need to continue to test.. this was a migrated user from on prem to cloud.

I changed password and rebooted.. outlook had no prompt.. I then deleted all in credential manager and reopened outlook.. no prompt.
hmm... Interesting
K BAuthor Commented:
Nope I changed it again.. and prompts again.
K BAuthor Commented:
ugh user had no license.. let me try again with a license :-)
K BAuthor Commented:
Just not working for Outlook after a password change...

I see with KLIST the Kerberos ticket that contains:
Server: HTTP/ @
Even after that ticket is in place I restart Outlook and it prompts for a password. I empty credential manager, still prompts.  I reboot

One of the troubleshooting steps for Seamless SSO reads like this:

List the existing Kerberos tickets on the device by using the klist command from a command prompt. Ensure that the tickets issued for the AZUREADSSOACCT computer account are present. Users' Kerberos tickets are typically valid for 10 hours. You might have different settings in Active Directory.

I think that ticket is what I posted above.. not sure.

Any ideas?  How would you chase down the Kerberos issue?
K BAuthor Commented:
What I have noticed...

1. If user's password is changed and
       a. there has yet to be a password prompt in Outlook
       b. there has been a password prompt in Outlook
2. User reboots
3. if there has already been a password prompt (takes about 5 minutes), it will persist until entered - regardless of another reboot.
4. if there has yet to be a password prompt, and a reboot is initiated- no password is required (new password is used at windows login) ----EDIT
5. the Kerberos ticket seen with KLIST is only present after a web-based login like OWA (which is odd, as modern auth is enabled and the password prompt in Outlook is supposed to be web-based, right?)
K BAuthor Commented:
EDIT above^
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.