Forum Discussion
Outlook login issues with WVD - FSLogix
Having an issue where user of WVD Windows 10 Multi-session have issues moving between hosts. Essentially first login on a host is fine, when the user moves to a new host outlook eventually says "need password" however the modern authentication prompts are never presented to the user.
Anyone have any insight? Perhaps Something with AzureFiles / FSlogix?
Thanks in advance.
DAsnow this scenario isn't ringing a bell in terms of a common scenario, probably best to contact support on this.
- mmarti1223Copper Contributor
- HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity, create a DWORD value named EnableADAL and set it to zero.
- Under the same registry key, create a DWORD value named DisableADALatopWAMOverride and set it to 1
- brbundy85Copper ContributorDon't do this. Unjoin the AzureAD Workplace with WPJCleanUp. And use a GPO to block the option "Let your organization manage this device"
- WillSomervilleBrass Contributor
Hello DAsnow
I have now got a resolution to this issue and it may work for you it may not however mine was down to some missing configuration in regards to Azure and AD connect.
The issue that we see is that when a users password expires or they need to authenticate to outlook they would put their email address in or they would click on enter password and the popup would appear and then immediately disappear.
1. ensure devices are appearing as azure hybrid devices in azure active directory (365 side) the devices need to appear as hybrid devices if you are using standard ADDS join and not Azure ADDS. This is due to the fact that users upon sign in need to update device registration when they go to sign into 365 services.
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
2. ensure that SSO is configured correctly. in my case i had forgotten to push out a zone policy making the SSO urls part of the intranet zone.
once the above are configured my issues simply went away as much as i tried to break it i couldn't do so. The pre req's on the what is windows virtual desktop is not clear which is why i didn't set the devices up as hybrid devices.
hope some of this helps!
- DAsnowCopper Contributor
This is helpful, thank you. One question for WillSomerville are you using onPren AD connect or Cloud AD to Azure AD?
- WillSomervilleBrass Contributor
Hi DAsnow
we have currently setup 2 DC's in the Azure Datacenters we operate out off. one of which has AD connect. we also have however on premise DCs with one of those with AD connect. One of the Azure DC's is the PDC now which has AD connect running on it.
It shouldn't matter however where you have AD connect running from as long as it has line of sight of the domain controllers to be able to read and sync the relevant changes to and from ADDS to Azure ADDS.
cheers
Will
- azanoncelloCopper Contributor
So it seems to have nothing to do with the windows update.
I fixed my issue by rolling back FSLogix to 2210 to 2201. There is a known issue for those devices that can't be Azure AD joined or Hybrid joined. So if you are using AADDS then don't update past version 2201 of FSLogix.
https://learn.microsoft.com/en-us/fslogix/troubleshooting-known-issues#azure-ad-authentication-for-applications- Travis_78Iron Contributor
Thank you for the heads up on the new fslogix issue. I cant tell if this known issue is a bug or just how Microsoft intends to treat AADDS joined machines in the future.
- KevinDeSchrijverCopper Contributor
The problem is wider then that. My machines ARE Hybrid joined. Even if they're Hybrid joined, you will be prompted every single logon for O365 credentials for SECONDARY (mail) O365 accounts. Granted, that's not a very common use-case but still.
My fix doesn't work for 2210 either. It looks like you can redirect those folders out of FSLogix as much as you want to, FSLogix will still "ignore" them. Obviously they changed something in the behaviour there. Still awaiting MS response on the open Case.- HilcoFCopper Contributor
Does the change of basic authentication to modern authentication anything to do with it? Microsoft is forcing modern authentication for tenants now.
- Doug_CoombsMicrosoft
DAsnow this scenario isn't ringing a bell in terms of a common scenario, probably best to contact support on this.
- Bo_MadsenCopper Contributor
- knowliteIron Contributor
Can anyone at MS clear up things?
It can't be that we need to disable modern authentication because if fails to connect for multiple users.
I deployed a new WVD pool this weeknd and already experienced disconnected users in Outlook after x amount of time. Setting EnableADAL to 0 forces the applications back to basic authentication.
Experienced these issues before on local clients so it is not WVD related at all.
When forcing everyone to use MFA we simply cannot disable Modern Auth!
Removing the user profile completely resolves the issue but is very cumbersome for the end-user.
Is there a problem with permissions in the credential manager? Because it contains a lot of entries for ADAL, almost seems like it cannot update the 1 existing entry and goes haywire after x amount of time.
Thanks in advance!
- WillSomervilleBrass Contributor
we also get this issue by disabling modern auth it stops users outlooks from disconnecting every hour or so however when there password expires thats when it really becomes an issue. Due to our users making use of SharePoint and Onedrive we are unable to make use of the basic auth functions due to modern authentication being required to access these services. I can get it to open a new window if i put in something similar like a .onmicrosoft.com and then change the address after however this doesnt always work.
I've given MS a nudge with a support ticket that i have open with them regarding a few outstanding bits.
- FinTechSeanBrass Contributor
Hey - we had this same issue. I found that it was releated to the fact that the 'manage my computer' process was skipped when someone hopped from one host to another after a logoff/logon process.
Here's what I did to fix.
In Outlook, File -> Office Account
Click Sign Out under user information. Now, you'll notice that clicking 'sign in' will not work with the current user information, it will just keep failing. Log in with another account (an administrator account or whatver you'd like). It will go through the process of signing in, but will eventually popup an error message as you cannot have two different accounts signed in. Close that error window...but, low and behold, it will ask you to sign into office again. At this point, put the normal user's email and password in again and it will prompt to manage this device/etc. Click through all of those screens and let it do it's thing and you should be good.
- cvanaxelBrass Contributor
But is this solved.
I almost have the same issue. All machines or hybride joined but we use ADFS on-premise for authentication with MFA.
User logons the first time and gets the popup and save password. After logout and session is logout and not disconnected (user log back in and gets a corrupted ost or gets the popup again to logon)
Is there a doc to solve the problem because we want to go live. This can be a show stopper to WVD with does corrupted ost and Outlook popup for logon continuously.
- DeanbostedorBrass Contributorcvanaxel
PieterWigleven
FinTechSean
DAsnow
benjamink9
Just got confirmation directly from our Microsoft Partner Technology Strategist and Sr. Cloud Solution Architect with collaboration with the FS Logix, WVD, and Office team. This IS an issue. It's being call a "defect" in Office where it's registering session hosts to Azure AD. When users get moved to other hosts, the token breaks because it contains the deviceID of the first registered session host in the FS Logix profile.
The workaround/fix is to:
A: Implement Hybrid Azure AD join/Seamless SSO and BLOCK device registration through registry settings for Hybrid AD environments (I have registry settings above).
B: For Azure ADDS environments, block device registration in registry (no option for Hybrid Azure AD Join/Seamless SSO at the moment. A login script may be required if the Azure AD Broker plugin stops working (see my posts much earlier in the thread).
Engineering is working on a fix on the Office/OneDrive side of things. In the meantime, you must implement the fix and recreate all FSLogix profiles.- Christian_PedersenBrass ContributorIs it really required to recreate the FSLogix Profiles??
They are QUITE big and its huge penalty when it syncs OL Profiles etc.. And people lose their settings - cant i some how via a Script fix / remove the defect and just relogin to the user?
I have implemented the BlockAADWorkplaceJoin in registry ..
- PieterWiglevenMicrosoft
cvanaxel it's difficult to determine whether this is the same issue based on the limited information. Do you have a customer support case opened?
I'm working on documentation to describe the issue listed in my previous replies and test the workaround before changing the win10 multi-session image that can be found in the Azure gallery.
- cvanaxelBrass ContributorI will open one wright now. Because im really tired off troubleshooting. I cant figure out where to look. Is it an FSLogix problem for corrupted OST files and the login isseu more an authentication problem. There is almost non documentation to work with.
- clwendtBrass Contributor
This is still a big problem for us as well. Can someone at Microsoft weigh in here?
- PieterWiglevenMicrosoft
clwendt we have identified that having the auto-workplace join feature in combination with a profile solution can lead to unpredictable results, e.g. the office login plugin not functioning.
We are taking a couple of actions:
1) Working with the feature team to disable auto-workplace join on the win10 multi-session SKU.
2) While #1 isn't done: adding a registry key in the image to disable auto-workplace join
Both will only apply to new deployments.
For existing deployments you can find a workaround in this thread. In summary:
There are two ways of preventing this:
- Christian_PedersenBrass ContributorYou should REALLY updated the Documentation to state NOT to use AZ AD DS for other than PoC's
Im like 1 month into a project and testing have gone really well (But after Token expirery etc.) all the issues keeps coming..
There is a ton of issues on WVD / MultiSession OS with all Microsoft applications - works like a charm with almost all other software except the products that MS provide etc..
When something is changed it just breaks something else.. 😞
- Lewis-HIron ContributorUser logs on, profiledisc created, user logs on, gpo's work fine and all behaves 'correctly'.
we configure outlook (autodiscover via O365) and outlook starts.
user logs off and at next logon if they are redirected to another host all hell breaks loose.
outlook says; "password required". If we click the prompt the 'signon' bliks and dissapears.
E.g. Outlook does not work any more.
If we then remove profile (%appdata%\local\microsoft\outlook inkl. roaming) and create new profile and try to configure outlook it gives an error 'are you this user' blablabla...
Tried setting different regsettings but nothing helps also tried updating to newest Windows 1909 but to no avail.
if we however DELETE the entire VHD profile then we can configure outlook for that user again but only that way.- Johannes NoebauerCopper Contributor
Lewis-H Hello Lewis,
what office version do you use. Is it O365 ProPlus or Business?
Are the FsLogix Profiles on Standard or Premium Disks? - florian adelbergerCopper Contributor
what office 365 version did you use? office 365 Pro Plus?
- Mark LunnBrass Contributor
We are using the Windows 10 Multi host + Office 365 image from the Azure Gallery