Forum Discussion
S4B Mac ADFS failing
We are facing the same issue at our Mac clients.
Was anyone able to resolve it?
Sorry to say that it hasn't been fixed...I haven't had the time to chase it with support either.
- David HowellApr 25, 2017Copper Contributor
Hi,
We had an issue with S4B on Max OS not signing in. The user experience was a white login box appearing and then nothing else. No errors.
Tried updating Office and installing the March 2017 update for Skype.
Environment is ADFS on Server 2016 with IWA and Forms Based Authentication enabled.
Modern Authentication enabled in both Exchange Online and Skype for Business and no users have MFA enabled.
I think what broke it was adding the User Agent String 'Mozilla/5.0' to my ADFS WIASupportedUserAgents property
The value wasn't detailed enough to cope with non Windows clients and was therefore expecting IWA from the Macs.
Amending the value to 'Mozilla/5.0 (Windows NT)' maintains IWA for Windows platform and FBA for non Windows which resolved the issue.
There are plenty of other variables which could be at play with this issue but this sorted it for me.
The clincher was this excellent article on ADFS, IWA and FBA found here
- Bas van RooijApr 25, 2017Copper Contributor
Hi David,
Thanks for your reply!
Around the same time we got response from Microsoft support with a few possible solutions.
We followed the 2nd option as you also did.
Below is teh response we got from Microsoft support:
1. Please enable the password authentication for the intranet will fix this issue.
You can access this by editing the primary authentication policy from the AD FS snapin (under Authentication Policies).
2. Remove Mozilla 5.0 from the supported user agents under ADFS properties
On the primary ADFS server
$WIA = Get-AdfsProperties
$WIA.WIASupportedUserAgents
Most probably the list of agents will look like this:
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
Mozilla/5.0
Edge/12
You can remove the Mozilla 5.0 from the list of supported user agents by running this command on the ADFS server, and not including the Mozzile/5.0:
Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client")
You can also check this link here:
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia3. Workaround if you want to keep Mozilla/5.0 between the user agents
If removing the "Mozilla/5.0" does not seem to be a viable solution as you may need it for all users running Firefox or any other browser/software using that agent and that should benefit from WIA and its advantages.
What we've found on our side is more related to the ability of the Mac to get a valid Kerberos ticket in the AD domain prior to open Skype for the first time.
Indeed, we successfully reproduced (and solved) the issue by using a mac not connected to the network at first, then opening a session, get network, then launch Skype => You have the issue as no ticket is listed in the klist (or if you use an account in the MacOS session that is not linked to AD, even if you sign in to Skype with an AD account).
If you open a session on the Mac with network and with a valid AD account, you get a valid ticket and the Skype opens naturally after you provided email+password
- Arunkumar K TJun 09, 2017Copper Contributor
Microsoft has acknowledged the issue.
Skype for Business on Mac fails to sign-in
(Skype for Business Server Online, Exchange Server Online, Identity managed on-premises with ADFS 3.0 and WIA authentication enabled for wiasupporteduseragents-Mozilla/5.0)
Workaround:
Remove “Mozilla/5.0” from the WIASupportedUserAgents parameter in AdfsProperties. Essentially, you will need to:
Run Get-AdfsProperties | select wiasupporteduseragents and get the output.
Then remove _only_ “Mozilla/5.0” from the output.
Then run Set-AdfsProperties -WIASupportedUserAgents with the output from step b.
Revert back to using Lync for Mac 2011.