Forum Discussion

Ryan Clegg's avatar
Ryan Clegg
Copper Contributor
Oct 31, 2018

Modern Auth Looping with Outlook 2016 when Outside Corporate Network

Hello! First time poster, here.

 

In the past ~1-2 months, our travelling users have been running into an authentication loop in Outlook 2016. They will suddenly be asked to enter their password in Outlook (the larger, white, browser-based modern authentication window, not the small Outlook client username/password authentication window). Entering their password will close the window, then the window will immediately pop back up. The Outlook client cannot be used until they come back inside our network and reboot their PC.

 

I was able to immediately reproduce the issue on my work laptop (64-bit Windows 10 1803 running Office 2016 32-bit version 1809) by deleting my Outlook profile, deleting all saved Office-related credentials in the Credential Manager, and connecting my laptop to my smartphone hotspot (to simulate being outside the network). Starting Outlook 2016, I'll create a new profile, connect with my AD account, enter my password in the Outlook 2016 authentication box; my email will actually start loading in Outlook, then the larger, white authentication window will pop up. I enter my password, it will disappear, then pop up again, and on, and on...

 

We have worked with MS Support on this issue for a total of ~7 hours in multiple remote sessions, and here are the troubleshooting steps they took, which all failed:

 

-Using an app password when the MFA browser window asks for the user’s password (“invalid password”)

-Adding “HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\DisableADALatopWAMOverride” to the registry, with a DWORD value of 1

-Using “Fiddler” to collect logs while the issue occurred (the technician seemed like they had no idea how to use the program, since the certificates installed by the program effectively blocked Outlook 2016 from communicating with the Microsoft servers)

-Turning on Outlook logging, and reproducing the issue. The logs were not affected in any way while the looping was taking place, leading us to believe that the issue is taking place outside of the Outlook application.

-MS O365 Support then brushed it off as Incident EX152471, which was announced as resolved yesterday evening, but the problem still persists in our environment.

 

The ONLY workaround that we found, is adding "DisableAADWAM" to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\, and giving it a DWORD value of 1. But disabling Web Access Management is not a solution!

 

Can anyone shed any light on our issue? 

 

Thank you,

 

--Ryan

  • There's an ongoing service incident causing (EX152471) this, it should be resolved soon.

    • Ryan Clegg's avatar
      Ryan Clegg
      Copper Contributor

      Vasil,

       

      Thanks for your response! Unfortunately, resolution of EX152471 didn't resolve our problem. On this incident's resolution page , Symptom 2 is the only symptom similar to our problem, but AADSTS70002 is not showing up in the AAD Operational Logs of an affected PC. 

      • afmsilva's avatar
        afmsilva
        Copper Contributor
        I have the same issue in some BYOD machines.
        After too many tries, the solution was reinstall the operating system.
    • Ryan Clegg's avatar
      Ryan Clegg
      Copper Contributor
      The latest Office update ended up fixing the issue for us.
  • dtapuchi's avatar
    dtapuchi
    Copper Contributor

    I've taken to setting the DisableAADWAM key by group policy at clients. So far, I have never once in any way used it, and don't see any benefit to it whatsoever. Bugs, however, have been aplenty.

    Why is it on by default?

     
     
     
  • Enny6513's avatar
    Enny6513
    Copper Contributor
    A colleague of mine of able to resolve this issue using the following registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
    EnableADAL and set to 0

    Hope this helps! Cheers!
    • Will_Martin_PFE's avatar
      Will_Martin_PFE
      Copper Contributor

      Enny6513 in your on-premises environment, this may stop issues, but if you have a server stutter, your users may need to logon again.

       

      Also Outlook without ADAL will not be able to connect to Office 365 after October.  Something to consider.

  • Lewis-H's avatar
    Lewis-H
    Iron Contributor
    We were having the same issue on Windows 10 V 1703 and MS gave us a regedit that seemed to fix the issue (for us, on Windows 10 V 1703). Add the following:
    HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
    DisableADALatopWAMOverride
    dword value 1

    After that, modern auth was working again.
    • Lewis-H 

       

      Windows 10 1703 is out of support. 

       

      I strongly advice you to update to latest windows 10 build and remove the registry key. 

    • ChrisFL's avatar
      ChrisFL
      Copper Contributor
      Is this the official fix? We have thousands of non-technical users and asking them to edit the registry will no doubt create more problems than we can practically solve.

Resources