ADFS with DUO authentication on SharePoint + Office issue

%3CLINGO-SUB%20id%3D%22lingo-sub-2428976%22%20slang%3D%22en-US%22%3EADFS%20with%20DUO%20authentication%20on%20SharePoint%20%2B%20Office%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2428976%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-body%20lia-component-message-view-widget-body%20lia-component-body-signature-highlight-escalation%20lia-component-message-view-widget-body-signature-highlight-escalation%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EDear%20Everyone%2C%3C%2FP%3E%3CP%3EWe're%20facing%20an%20authentication%20error%20with%20most%20of%20our%20users%20described%20below%3A%20Our%20SharePoint%20environment(2016)%20is%20integrated%20with%20ADFS(3.0)%20using%20DUO%20authentication.%20I%20noticed%20that%20this%20error%20occurs%20when%20user%20uses%20any%20browser%20except%20Internet%20Explorer%20-%20that%20means%2C%20this%20issue%20occurs%20in%20Chrome%2C%20Chromium%20(Edge)%2C%20Firefox.%20Most%20importantly%2C%26nbsp%3B%20once%20the%20user%20logged%20in%20using%20IE%20browser%2C%20then%20after%20all%20other%20browsers%20works%20without%20any%20issues.At%20the%20same%20time%2C%20when%20user%20logged%20off%20from%20IE%20browser%2C%26nbsp%3B%20then%20all%20other%20browsers%20stopped%20working%20and%20throws%20the%20below%20error%20when%20we%20open%20documents%20from%20SharePoint%20site.%20And%20Also%2C%20we%20found%20out%20that%2Cthis%20error%20happens%20only%20to%20the%20users%20who%20has%20DUO%20enabled.If%20the%20user%20does%20not%20have%20DUO%20enabled%2C%20then%20they%20can%20open%20the%20office%20documents%20and%20also%20edit%20the%20documents%20on%20SharePoint%20to%20save%20it%20directly%20using%20any%20browsers%20without%20any%20issues.%3C%2FP%3E%3CP%3E1)%20User%20opens%20Intranet%20site%20and%20authenticates%20using%20our%20domain%20credentials.%3C%2FP%3E%3CP%3E2)%20User%20tries%20to%20open%20office%20document%2C%20for%20example%20Word%20document.%3C%2FP%3E%3CP%3E3)%20Word%20application%20opens%20up%20and%20ADFS%20asks%20for%20credentials.%3C%2FP%3E%3CP%3E4)%20After%20entering%20domain%20credentials%2C%20office%20application%20(Word)%20returns%20an%20error%20message%3A%3C%2FP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SharePointHelp_0-1623195152084.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287289i46B227F3A697885F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22SharePointHelp_0-1623195152084.jpeg%22%20alt%3D%22SharePointHelp_0-1623195152084.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20multiple%20following%20ways%20for%20solution%20which%20helped%20us%20nothing%20%E2%98%B9%3C%2FP%3E%3CP%3E1)%20Client-side%3A%20Ensure%20that%20intranet%20site%20is%20in%20Trusted%20Sites%20zone%20or%20Local%20Intranet%20security%20zone%20in%20IE%20browser%20Options.%3C%2FP%3E%3CP%3E2)%20Client-side%3A%20Put%26nbsp%3Bintranet%20site%20into%20Trusted%20Locations%20in%20Office%20Trust%20Center%20settings.%3C%2FP%3E%3CP%3E3)%20Server-side%3A%20Check%20the%20config%20of%20SharePoint%20SPSecurityTokenServiceConfig%3C%2FP%3E%3CP%3E4)%20Client-side%3A%20Check%20the%20registry%20entry%3A%3C%2FP%3E%3COL%3E%3CLI%3EHKCU%5CSOFTWARE%5CMicrosoft%5COffice%5C16.0%5CCommon%5CIdentity%3C%2FLI%3E%3CLI%3ECheck%20if%20EnableADAL%20key%20is%20present%3C%2FLI%3E%3CLI%3EIf%20not%20present%20then%20create%20new%20REG_DWORD%20key%20with%20name%20EnableADAL%20and%20value%200%3C%2FLI%3E%3C%2FOL%3E%3CP%3EFurther%2C%20I%20investigated%20the%20supported%20user%20agents%20configured%20in%20ADFS%20and%20I%20noticed%20that%20our%20current%20configuration%20is%20as%20follows%3A%3C%2FP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SharePointHelp_1-1623195152245.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287290i8A1884B7CF17008E%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22SharePointHelp_1-1623195152245.png%22%20alt%3D%22SharePointHelp_1-1623195152245.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20result%2C%20we%20don't%20support%20Mozilla%20agent.%20The%20following%20article%20explains%20how%20to%20configure%20Chrome%2C%20Firefox%20and%20Chromium%20(Mozilla%20agent)%20for%20SSO%20in%20ADFS%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfigure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfigure-intranet-forms-b...%3C%2FA%3E%3C%2FP%3E%3CP%3EWhich%20was%20also%20not%20working%20%E2%98%B9.%20It%20would%20be%20really%20appreciated%20if%20you%20could%20give%20me%20any%20solutions%2C%20Thanks%20very%20much.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2428976%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Dear Everyone,

We're facing an authentication error with most of our users described below: Our SharePoint environment(2016) is integrated with ADFS(3.0) using DUO authentication. I noticed that this error occurs when user uses any browser except Internet Explorer - that means, this issue occurs in Chrome, Chromium (Edge), Firefox. Most importantly,  once the user logged in using IE browser, then after all other browsers works without any issues.At the same time, when user logged off from IE browser,  then all other browsers stopped working and throws the below error when we open documents from SharePoint site. And Also, we found out that,this error happens only to the users who has DUO enabled.If the user does not have DUO enabled, then they can open the office documents and also edit the documents on SharePoint to save it directly using any browsers without any issues.

1) User opens Intranet site and authenticates using our domain credentials.

2) User tries to open office document, for example Word document.

3) Word application opens up and ADFS asks for credentials.

4) After entering domain credentials, office application (Word) returns an error message:

SharePointHelp_0-1623195152084.jpeg

 

 

I tried multiple following ways for solution which helped us nothing ☹

1) Client-side: Ensure that intranet site is in Trusted Sites zone or Local Intranet security zone in IE browser Options.

2) Client-side: Put intranet site into Trusted Locations in Office Trust Center settings.

3) Server-side: Check the config of SharePoint SPSecurityTokenServiceConfig

4) Client-side: Check the registry entry:

  1. HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity
  2. Check if EnableADAL key is present
  3. If not present then create new REG_DWORD key with name EnableADAL and value 0

Further, I investigated the supported user agents configured in ADFS and I noticed that our current configuration is as follows:

SharePointHelp_1-1623195152245.png

 

 

As a result, we don't support Mozilla agent. The following article explains how to configure Chrome, Firefox and Chromium (Mozilla agent) for SSO in ADFS:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-b...

Which was also not working ☹. It would be really appreciated if you could give me any solutions, Thanks very much.

0 Replies