Forum Discussion
S4B Mac ADFS failing
Hey everybody - after the most recent updates the client won't log in properly. We are running Office 365 with ADFS as the login provider. The client attempts the login and then passes back what looks like an attempt at the modern authentication in a new window but that spins and times out. This is happening for everybody that is using the client on Mac. Any ideas?
We are facing the same issue at our Mac clients.
Was anyone able to resolve it?
Sorry to say that it hasn't been fixed...I haven't had the time to chase it with support either.
Hi,
We had an issue with S4B on Max OS not signing in. The user experience was a white login box appearing and then nothing else. No errors.
Tried updating Office and installing the March 2017 update for Skype.
Environment is ADFS on Server 2016 with IWA and Forms Based Authentication enabled.
Modern Authentication enabled in both Exchange Online and Skype for Business and no users have MFA enabled.
I think what broke it was adding the User Agent String 'Mozilla/5.0' to my ADFS WIASupportedUserAgents property
The value wasn't detailed enough to cope with non Windows clients and was therefore expecting IWA from the Macs.
Amending the value to 'Mozilla/5.0 (Windows NT)' maintains IWA for Windows platform and FBA for non Windows which resolved the issue.
There are plenty of other variables which could be at play with this issue but this sorted it for me.
The clincher was this excellent article on ADFS, IWA and FBA found here
So I managed to dig deeper on this - I'm not a massive traffic analyzer but I was able to see where things seem to be failing. That same page that loads out as spinning or blank on the internal network paints as the ADFS external login page when off the network. So I set up a trace to watch Skype as it's attempting to log in on the internal network and it's the ADFS response to the internal auth request.
I updated all the way to the latest fast insider build of Office/Skype this morning and it's the same thing. Something within Skype isn't handling that ADFS response in the last few builds. My guess at this point is that I have to open a premier ticket - anyone else seeing this issue at all?
Hi!
Was this issue fixed?
Please share the fix if any.
Regards
Arun
- Haven't. Aren't you able to login at all or intermittent?
It seems to be failing for anybody that has upgraded to the latest version on Mac. I did some more research into this today and we have ADFS rules that permit login only from within the network. If I am connected to the internal network I get a blank pop-up from Skype (looks like it's attempting to load a page) and it will spin forever. I decided to pop off the internal network and get on an external and that blank page then refreshes and loads the external ADFS authentication page. It would seem that there's some issue resolving it internally. I may need to check into our DNS.
Adding more to this...
I noticed that Safari is asking for a certificate for our internal ADFS. This may be a byproduct of the way we have our stuff set up as FireFox isn't prompting for the same. My presumption is that Skype is using Safari to do the load out and when it's getting the transition of ADFS prompting for a certificate that it's just not painting the page and discarding the prompts. That's likely why the page isn't loading and the client isn't able to log in properly.
I'll have to do some more digging as even changing the default browser on the OS won't get past it. I'm thinking it may be calling it by default. Or I could be chasing ghosts.
