Edge 86.0.622.58 On-premises Sync Not Working Over VPN With Cached Local Login

Brass Contributor
We are running Edge 86.0.622.58 on Win10 Enterprise 1909 domain joined systems.

 

We are trying to configure the Edge GPO to enable local sync of favorites, but we are unable to get the on-prem sign-in to work over VPN and so the local profile.pb is never created.

 

Our settings are as follows:

 

BrowserSignin = 1

ConfigureOnPremisesAccountAutoSignIn = 1

RoamingProfileSupportEnabled = 1

SyncDisabled = 0

 

When we login to Windows 10 with a cached credential, connect to VPN, and launch Edge with these settings, we get prompted to sign-in.  The only account that seems to work is the "work or school account" which is our O365 email address.  Signing in using this account results in the Edge account type and sync account type as AAD instead of on-prem and the message "sync isn't available for this account"

 

I believe the cause of the issue is the AD account is not being used to sign in to the browser even though ConfigureOnPremisesAccountAutoSignIn is set to 1.  Doing a whoami at a command prompt shows my account name in domain\username format.

 

Using these same settings while logged into an on-site workstation results in on-premises sign in and sync working properly.  Is there any reason why this functionality would not work on a cached local logon/VPN scenario?

 

 

25 Replies

@jdbst56 I just spoke to our Identity Team and they mentioned that in your case it seems like, in VPN configuration, the Windows API that MS Edge is using, is not returning the account information needed for on-premises.  They have asked the following:

 

Are you able to try the following steps to validate this?

  1. Delete all user data.
  2. Launch MS Edge with flag --force-on-prem-profile (msedge.exe --force-on-prem-profile)

If you cannot delete the data, then can you try the following?  Create a folder and launch MS Edge with additional parameter: --user-data-dir=<folder-name>

 

If this works, then it confirms that the previously mentioned new policy the team is investigating will help in your scenario.  Unfortunately, there is no ETA for the new policy right now but we will keep an eye out for updates from the team. 

 

Thanks for your patience! 

 

-Kelly

@Kelly_Y We confirmed in our testing that --force-on-prem-profile overrides the AAD login attempt and forces the local AD login.

Do you have any timeframe on when the new GPO will be implemented? We cannot implement Edge as our default browser until we can locally roam favorites.

Thanks
Any news on this GPO? It's been so long since this thread started. On-premises AD profiles are broken in Edge. And this is not just VPN problem.
Clean installation, no Azure or MS accounts, created 3 AD Users.
First user I try gets signed in with "DOMAIN\Username" style profile (as expected). The other two however get continuously signed in with "Profile 1" profile styles.
This was tested twice in different machines. Fix this please, not everyone prefers the Azure treatment.

Thanks
@Michael710 We had opened a Microsoft Premier support case two weeks ago just to see if they could give us any ETA on the new policy. Unfortunately there was really no new information other than they are working on it. Here's the summary from the case.

SYMPTOM:
• Customer wants update on new policy being created by Edge team so users will not get implicit sign-in with secondary AAD account if ConfigureOnPremisesAccountAutoSignIn is configured

CAUSE:
• N/A

RESOLUTION:
• After discussing with the Edge team, the new policy being created so users will not get implicit sign-in with secondary AAD account if ConfigureOnPremisesAccountAutoSignIn is configured, is currently still in progress.

• They do not have an exact release date or version yet, but I have indicated to them to let me know as soon as there is an ETA.

• This policy was expected to be released previously but there was a slight delay which caused a setback but they are now working to get this policy in a upcoming version and will share with me the release version as soon as they have confirmed.

• Will re-open case when there is an update on policy
Do we have any update on this issue? 2,439 views on this issue since Nov 2020 and still no solution. We're supposed to make Edge the default browser next month due to O365 EOL for IE. I guess we have to tell our users that they can't roam their favorites.

Hi Everyone - Circling back to this thread, we have just added a new policy for this scenario starting in Microsoft Edge v94.  MS Edge Beta Version 94.0.992.9 was just released today (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-beta-channel#version-9409929-sept...

 

Here is a link to the policy documentation for OnlyOnPremisesImplicitSigninEnabled:  

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#onlyonpremisesimplicitsigninenab...

 

Thanks! 

 

-Kelly