Forum Discussion
Outlook login issues with WVD - FSLogix
Having an issue where user of WVD Windows 10 Multi-session have issues moving between hosts. Essentially first login on a host is fine, when the user moves to a new host outlook eventually says "need password" however the modern authentication prompts are never presented to the user.
Anyone have any insight? Perhaps Something with AzureFiles / FSlogix?
Thanks in advance.
DAsnow this scenario isn't ringing a bell in terms of a common scenario, probably best to contact support on this.
222 Replies
This is still a big problem for us as well. Can someone at Microsoft weigh in here?
clwendt we have identified that having the auto-workplace join feature in combination with a profile solution can lead to unpredictable results, e.g. the office login plugin not functioning.
We are taking a couple of actions:
1) Working with the feature team to disable auto-workplace join on the win10 multi-session SKU.
2) While #1 isn't done: adding a registry key in the image to disable auto-workplace join
Both will only apply to new deployments.
For existing deployments you can find a workaround in this thread. In summary:
There are two ways of preventing this:
- You should REALLY updated the Documentation to state NOT to use AZ AD DS for other than PoC's
Im like 1 month into a project and testing have gone really well (But after Token expirery etc.) all the issues keeps coming..
There is a ton of issues on WVD / MultiSession OS with all Microsoft applications - works like a charm with almost all other software except the products that MS provide etc..
When something is changed it just breaks something else.. 😞
But is this solved.
I almost have the same issue. All machines or hybride joined but we use ADFS on-premise for authentication with MFA.
User logons the first time and gets the popup and save password. After logout and session is logout and not disconnected (user log back in and gets a corrupted ost or gets the popup again to logon)
Is there a doc to solve the problem because we want to go live. This can be a show stopper to WVD with does corrupted ost and Outlook popup for logon continuously.
- cvanaxel
PieterWigleven
FinTechSean
DAsnow
benjamink9
Just got confirmation directly from our Microsoft Partner Technology Strategist and Sr. Cloud Solution Architect with collaboration with the FS Logix, WVD, and Office team. This IS an issue. It's being call a "defect" in Office where it's registering session hosts to Azure AD. When users get moved to other hosts, the token breaks because it contains the deviceID of the first registered session host in the FS Logix profile.
The workaround/fix is to:
A: Implement Hybrid Azure AD join/Seamless SSO and BLOCK device registration through registry settings for Hybrid AD environments (I have registry settings above).
B: For Azure ADDS environments, block device registration in registry (no option for Hybrid Azure AD Join/Seamless SSO at the moment. A login script may be required if the Azure AD Broker plugin stops working (see my posts much earlier in the thread).
Engineering is working on a fix on the Office/OneDrive side of things. In the meantime, you must implement the fix and recreate all FSLogix profiles.- Is it really required to recreate the FSLogix Profiles??
They are QUITE big and its huge penalty when it syncs OL Profiles etc.. And people lose their settings - cant i some how via a Script fix / remove the defect and just relogin to the user?
I have implemented the BlockAADWorkplaceJoin in registry ..
cvanaxel it's difficult to determine whether this is the same issue based on the limited information. Do you have a customer support case opened?
I'm working on documentation to describe the issue listed in my previous replies and test the workaround before changing the win10 multi-session image that can be found in the Azure gallery.
- I will open one wright now. Because im really tired off troubleshooting. I cant figure out where to look. Is it an FSLogix problem for corrupted OST files and the login isseu more an authentication problem. There is almost non documentation to work with.
Hey - we had this same issue. I found that it was releated to the fact that the 'manage my computer' process was skipped when someone hopped from one host to another after a logoff/logon process.
Here's what I did to fix.
In Outlook, File -> Office Account
Click Sign Out under user information. Now, you'll notice that clicking 'sign in' will not work with the current user information, it will just keep failing. Log in with another account (an administrator account or whatver you'd like). It will go through the process of signing in, but will eventually popup an error message as you cannot have two different accounts signed in. Close that error window...but, low and behold, it will ask you to sign into office again. At this point, put the normal user's email and password in again and it will prompt to manage this device/etc. Click through all of those screens and let it do it's thing and you should be good.
Hello DAsnow
I have now got a resolution to this issue and it may work for you it may not however mine was down to some missing configuration in regards to Azure and AD connect.
The issue that we see is that when a users password expires or they need to authenticate to outlook they would put their email address in or they would click on enter password and the popup would appear and then immediately disappear.
1. ensure devices are appearing as azure hybrid devices in azure active directory (365 side) the devices need to appear as hybrid devices if you are using standard ADDS join and not Azure ADDS. This is due to the fact that users upon sign in need to update device registration when they go to sign into 365 services.
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
2. ensure that SSO is configured correctly. in my case i had forgotten to push out a zone policy making the SSO urls part of the intranet zone.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#browser-considerations
once the above are configured my issues simply went away as much as i tried to break it i couldn't do so. The pre req's on the what is windows virtual desktop is not clear which is why i didn't set the devices up as hybrid devices.
hope some of this helps!
This is helpful, thank you. One question for WillSomerville are you using onPren AD connect or Cloud AD to Azure AD?
Hi DAsnow
we have currently setup 2 DC's in the Azure Datacenters we operate out off. one of which has AD connect. we also have however on premise DCs with one of those with AD connect. One of the Azure DC's is the PDC now which has AD connect running on it.
It shouldn't matter however where you have AD connect running from as long as it has line of sight of the domain controllers to be able to read and sync the relevant changes to and from ADDS to Azure ADDS.
cheers
Will
we also get this issue by disabling modern auth it stops users outlooks from disconnecting every hour or so however when there password expires thats when it really becomes an issue. Due to our users making use of SharePoint and Onedrive we are unable to make use of the basic auth functions due to modern authentication being required to access these services. I can get it to open a new window if i put in something similar like a .onmicrosoft.com and then change the address after however this doesnt always work.
I've given MS a nudge with a support ticket that i have open with them regarding a few outstanding bits.
Can anyone at MS clear up things?
It can't be that we need to disable modern authentication because if fails to connect for multiple users.
I deployed a new WVD pool this weeknd and already experienced disconnected users in Outlook after x amount of time. Setting EnableADAL to 0 forces the applications back to basic authentication.
Experienced these issues before on local clients so it is not WVD related at all.
When forcing everyone to use MFA we simply cannot disable Modern Auth!
Removing the user profile completely resolves the issue but is very cumbersome for the end-user.
Is there a problem with permissions in the credential manager? Because it contains a lot of entries for ADAL, almost seems like it cannot update the 1 existing entry and goes haywire after x amount of time.
Thanks in advance!
- HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity, create a DWORD value named EnableADAL and set it to zero.
- Under the same registry key, create a DWORD value named DisableADALatopWAMOverride and set it to 1
- Don't do this. Unjoin the AzureAD Workplace with WPJCleanUp. And use a GPO to block the option "Let your organization manage this device"
- Doug_Coombs
Microsoft
DAsnow this scenario isn't ringing a bell in terms of a common scenario, probably best to contact support on this.
