Forum Discussion

mouadcherkaoui's avatar
mouadcherkaoui
Brass Contributor
Feb 04, 2021

Teams / Federation Authentication / MacOS X Customer

Hi,   this question is initially posted in the answers forum: Teams / Authentification Fédéré / Client MacOS - Microsoft Community "We have been having federated connection issues with Teams on...
Administrator
Conversations
microsoft teams
mouadcherkaoui's avatar
mouadcherkaoui
Brass Contributor
Feb 05, 2021

guenaelsanchez 

it's all my pleasure! Welcome!

 

I think since it is working on other platforms then it should be more about macOS use case, which handles keychains and caches them its way, can you create a user account and see if it works! I shared in the "answers forum" a resolution which in addition to removing cache files suggest to use the Keychain Access "Trousseau d'accès" tools to remove cached credentials there too:

 

https://answers.microsoft.com/en-us/msteams/forum/all/microsoft-teams-showing-white-screen-when-trying/20591f6d-2702-4a29-9b60-29ebd6be1e98?rtAction=1611834249369

the Niklas Blomqvist answer is also interesting: 

  • Start Teams
  • Click the Teams app in the dock 5 times
  • Click the "Development" option in the menu bar
  • In that menu you have an entry called "Auth". I tried clicking all the "Call ipc" for different auth methods (I can't reproduce the menu as of right now, since I'm logged in and there are additional steps to see those entries when logged in)
  • However, BEFORE you try any Auth-entries, go to "hooks" and "enableMacNativeNotifications" (I think the name was) to get native macOS notifications 🙂 

hope it helps!

 
guenaelsanchez's avatar
guenaelsanchez
Copper Contributor
Feb 05, 2021

Hello,

 

I tried to enable enable Mac Native Notification, but did not change anything.

 

 

This is the Auth Menu, I tried clicking all items, one by one, enter my UPN, and It failed.

 

Also tried to remove all the diferent caches files suggested in the other post, and also deleted any Teams entry in my Keychain, but It did not change anything ! 

 

Regards,

GS

 

 

  • guenaelsanchez's avatar
    guenaelsanchez
    Copper Contributor
    Feb 05, 2021

    So ...

     

    Error -1200 seems to be related to ATS (App Transport Security) / SSL Options,Ciphers,Versions ....

     

    Our Federated Identity Authentication Server seems to be quite not compliant to the latest SSL Standards ! Since we do host it directly, we asked for a SSL/TLS/ATS fix.

     

    On MacOS you can use the command : 

    /usr/bin/nscurl --ats-diagnostics  https://MySSLServer.FQDN/ (--verbose if needed)

     

    The output is (just changed our server FQDN) : 

    Default ATS Secure Connection

    ---

    ATS Default Connection

    ATS Dictionary:

    {

    }

    Result : FAIL

    Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://Server.FQDN/, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BCF6DDA1-01D8-4D1E-9E17-46EE9364D4A0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(

        "LocalDataTask <BCF6DDA1-01D8-4D1E-9E17-46EE9364D4A0>.<1>"

    ), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://Server.FQDN/, NSUnderlyingError=0x7febf9c12020 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9858, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9858}}, _kCFStreamErrorCodeKey=-9858}

    ---

     

    See the error code ? -1200 right like what the Teams client reports... Maybe the last version of Teams Desktop client is more "picky" on security topics.

     

    To be continued !

     

    GS

    • mouadcherkaoui's avatar
      mouadcherkaoui
      Brass Contributor
      Feb 05, 2021

       

      Hi guenaelsanchez 

       

      here is the explanation of the error code constant AD_ERROR_SERVER_USER_INPUT_NEEDED:

      AD_ERROR_SERVER_USER_INPUT_NEEDED

      User needs to re-authorize resource usage. This error is raised when access token cannot be obtained without user explicitly re-authorizing, but the developer has called acquireTokenSilentWithResource method. To obtain the token, the application will need to call acquireTokenWithResource after this error to allow the library to give user abitlity to re-authorize (with web UI involved).

      ADErrorCodes.h.

       

      which can be confirmed through azure portal in Azure AD monitoring section under Signins with request-id F734D42E-4D0F-4F78-93E4-AE8008D604E1

      also it seems to be related to a domain error:

       

      Microsoft.ADAL.extended_expires_on_setting: no, Microsoft.ADAL.error_domain: NSURLErrorDomain, Microsoft.ADAL.prompt_behavior: AD_PROMPT_AUTO, Microsoft.ADAL.authority_validation_status: yes, Microsoft.ADAL.x_client_sku: OSX, Microsoft.ADAL.x_client_ver: 4.0.9, Microsoft.ADAL.cache_event_count: 4, Microsoft.ADAL.correlation_id: D747B73D-AD0B-452F-A357-1E8A063C4FC2,

       

      which confirms your finding, I think taking a look on AzureAD logs can give more informations, also logs from the external authentication provider.

       

      I'm still unable to reproduce the same architecture, I need to go through some documentation!!

       

      Best Regards.

       
       
      • guenaelsanchez's avatar
        guenaelsanchez
        Copper Contributor
        Feb 05, 2021

        mouadcherkaoui Thanks for the digging ! 

         

        We are waiting for the appropriate fix to be applied on the authentication portal. no ETA AFAIK.

         

        will keep you informed.

        Regards,

        GS.

Resources