AADSTS75011 Error on Edge (Azure AD Joined machines)

%3CLINGO-SUB%20id%3D%22lingo-sub-2575051%22%20slang%3D%22en-US%22%3EAADSTS75011%20Error%20on%20Edge%20(Azure%20AD%20Joined%20machines)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2575051%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20just%20setup%20SSO%20for%20a%20new%20enterprise%20application.%3C%2FP%3E%3CP%3EOn%20AzureAD%20joined%20machines%2C%20it%20works%20in%20Chrome%20and%20Edge%20InPrivate%20mode.%20In%20normal%20edge%2C%20we%20get%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAADSTS75011%3A%20Authentication%20method%20'X509%2C%20MultiFactor'%20by%20which%20the%20user%20authenticated%20with%20the%20service%20doesn't%20match%20requested%20authentication%20method%20'Password%2C%20ProtectedTransport'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20read%20about%20adding%20the%20following%20to%20SAML%20request%20but%20this%20is%20not%20possible%20with%20the%20vendor%20currently%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3E'authnContextClassRef'%20%3A%20false%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20only%20affects%20AzureAD%20joined%20machines%20on%20Edge.%20When%20I%20test%20from%20a%20Hybrid%20joined%20machine%20there%20is%20no%20such%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20resolve%20this%20from%20the%20Azure%20side%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2575051%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzureAD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esaml%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSO%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

I have just setup SSO for a new enterprise application.

On AzureAD joined machines, it works in Chrome and Edge InPrivate mode. In normal edge, we get the following error:

 

AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

 

I have read about adding the following to SAML request but this is not possible with the vendor currently:

'authnContextClassRef' : false

 

This only affects AzureAD joined machines on Edge. When I test from a Hybrid joined machine there is no such issue.

 

Is there any way to resolve this from the Azure side?

0 Replies