Modern Auth Looping with Outlook 2016 when Outside Corporate Network

Copper Contributor

Hello! First time poster, here.

 

In the past ~1-2 months, our travelling users have been running into an authentication loop in Outlook 2016. They will suddenly be asked to enter their password in Outlook (the larger, white, browser-based modern authentication window, not the small Outlook client username/password authentication window). Entering their password will close the window, then the window will immediately pop back up. The Outlook client cannot be used until they come back inside our network and reboot their PC.

 

I was able to immediately reproduce the issue on my work laptop (64-bit Windows 10 1803 running Office 2016 32-bit version 1809) by deleting my Outlook profile, deleting all saved Office-related credentials in the Credential Manager, and connecting my laptop to my smartphone hotspot (to simulate being outside the network). Starting Outlook 2016, I'll create a new profile, connect with my AD account, enter my password in the Outlook 2016 authentication box; my email will actually start loading in Outlook, then the larger, white authentication window will pop up. I enter my password, it will disappear, then pop up again, and on, and on...

 

We have worked with MS Support on this issue for a total of ~7 hours in multiple remote sessions, and here are the troubleshooting steps they took, which all failed:

 

-Using an app password when the MFA browser window asks for the user’s password (“invalid password”)

-Adding “HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\DisableADALatopWAMOverride” to the registry, with a DWORD value of 1

-Using “Fiddler” to collect logs while the issue occurred (the technician seemed like they had no idea how to use the program, since the certificates installed by the program effectively blocked Outlook 2016 from communicating with the Microsoft servers)

-Turning on Outlook logging, and reproducing the issue. The logs were not affected in any way while the looping was taking place, leading us to believe that the issue is taking place outside of the Outlook application.

-MS O365 Support then brushed it off as Incident EX152471, which was announced as resolved yesterday evening, but the problem still persists in our environment.

 

The ONLY workaround that we found, is adding "DisableAADWAM" to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\, and giving it a DWORD value of 1. But disabling Web Access Management is not a solution!

 

Can anyone shed any light on our issue? 

 

Thank you,

 

--Ryan

11 Replies

There's an ongoing service incident causing (EX152471) this, it should be resolved soon.

Vasil,

 

Thanks for your response! Unfortunately, resolution of EX152471 didn't resolve our problem. On this incident's resolution page , Symptom 2 is the only symptom similar to our problem, but AADSTS70002 is not showing up in the AAD Operational Logs of an affected PC. 

I have the same issue in some BYOD machines.
After too many tries, the solution was reinstall the operating system.

Also an ongoing thread about this here (note that the top post in the Uservoice thread mentions the OLD reg key, but recent comments make clear what's currently working):

https://office365.uservoice.com/forums/264636-general/suggestions/32694751-outlook-is-not-syncing-an...

 

Why is this still an issue?

The latest Office update ended up fixing the issue for us.

I've taken to setting the DisableAADWAM key by group policy at clients. So far, I have never once in any way used it, and don't see any benefit to it whatsoever. Bugs, however, have been aplenty.

Why is it on by default?

 
 
 
A colleague of mine of able to resolve this issue using the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
EnableADAL and set to 0

Hope this helps! Cheers!

@Enny6513 in your on-premises environment, this may stop issues, but if you have a server stutter, your users may need to logon again.

 

Also Outlook without ADAL will not be able to connect to Office 365 after October.  Something to consider.

We were having the same issue on Windows 10 V 1703 and MS gave us a regedit that seemed to fix the issue (for us, on Windows 10 V 1703). Add the following:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DisableADALatopWAMOverride
dword value 1

After that, modern auth was working again.

@Lewis-H 

 

Windows 10 1703 is out of support. 

 

I strongly advice you to update to latest windows 10 build and remove the registry key. 

Is this the official fix? We have thousands of non-technical users and asking them to edit the registry will no doubt create more problems than we can practically solve.