SSO to Office 365 with Chrome

%3CLINGO-SUB%20id%3D%22lingo-sub-1091061%22%20slang%3D%22en-US%22%3ESSO%20to%20Office%20365%20with%20Chrome%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1091061%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20having%20a%20heck%20of%20a%20time%20trying%20to%20understand%20why%20SSO%20with%20Chrome%20is%20no%20longer%20working.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20federated%20and%20Auth%20works%20with%20Edge%20and%20IE%2C%20WIASupportedUserAgents%20are%20configured%20and%20SSO%20works%20if%20I%20use%20this%20address%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%2F%3Fdomain_hint%3Dmd.ca%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.office.com%3Fdomain_hint%3Ddomain.com%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20hit%20%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.office.com%3C%2FA%3E%20I%20am%20requested%20to%20choose%20my%20identity%20and%20then%20it%20signs%20us%20on.%20One%20other%20details%20is%20we%20are%20using%20Alternate%20login%20ID's%20for%20Auth.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1091061%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1129832%22%20slang%3D%22en-US%22%3ERe%3A%20SSO%20to%20Office%20365%20with%20Chrome%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1129832%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F506573%22%20target%3D%22_blank%22%3E%40bglmarks%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20a%20few%20ideas%2C%20not%20sure%20if%20this%20is%20really%20related%20to%20the%20issues%20you%20describe%20or%20better%20saying%20hard%20to%20say%20without%20traces%20%3B).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPossibility%201%3A%3C%2FP%3E%3CP%3EThere%20have%20been%20recent%20changes%20in%20the%20Chrome%20security%20model%20(related%20to%20cookie%20handling)%20which%20basically%20impacts%20multi%20Microsoft%20cloud%20endpoints.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20article%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Ftroubleshoot%2Fmiscellaneous%2Fchrome-behavior-affects-applications%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Ftroubleshoot%2Fmiscellaneous%2Fchrome-behavior-affects-applications%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%20recommendations%20in%20this%20article%20if%20using%20ADFS%20for%20federated%20authentication%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPing%20Identity%20summarizes%20this%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.pingidentity.com%2Fs%2Fquestion%2F0D51W00007WSOmpSAH%2Fgoogle-chrome-vsn-80-new-browser-security-model-may-impact-sso%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.pingidentity.com%2Fs%2Fquestion%2F0D51W00007WSOmpSAH%2Fgoogle-chrome-vsn-80-new-browser-security-model-may-impact-sso%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20depending%20on%20your%20IDP%20(you%20mentioned%20federated%20authentication)%20you%20might%20have%20to%20run%20some%20updates.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPossibility%202%3A%3C%2FP%3E%3CP%3EDepending%20on%20your%20setup%2C%20but%20in%20most%20environments%20the%20user%2Fbrowser%20requests%20a%20Kerberos%20ticket%20to%20authenticate%20against%20the%20federation%20service.%20There%20might%20be%20an%20issue...%20one%20easy%20way%20to%20check%20on%20the%20client%20if%20there%20is%20a%20valid%20ticket%20is%20the%20klist%20command-line%20tool%2C%20which%20will%20show%20you%20all%20cached%20tickets.%3C%2FP%3E%3CP%3EIf%20there%20is%20no%20ticket%2C%20either%20the%20request%20to%20the%20domain%20controller%20failed%2C%20or%20some%20browser%20settings..%20like%20the%20IDP%20url%20is%20not%20in%20your%20trusted%20sites%20config..%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPossibility%203%3A%3C%2FP%3E%3CP%3EYou%20have%20a%20conditional%20access%20control%20in%20place%20which%20requires%20a%20managed%20device%20or%20AAD%20hybrid%20joined%20device.%20In%20this%20case%20you%20need%20the%20MS%20Accounts%20extension%20installed%20in%20the%20Chrome%20browser%20and%20the%20device%20must%20be%20either%20ADD%20Hybrid%20joined%2C%20or%20Intune%20managed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehth%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClaus%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

I am having a heck of a time trying to understand why SSO with Chrome is no longer working. 

 

We are federated and Auth works with Edge and IE, WIASupportedUserAgents are configured and SSO works if I use this address

 

https://portal.office.com?domain_hint=domain.com

 

If we hit https://portal.office.com I am requested to choose my identity and then it signs us on. One other details is we are using Alternate login ID's for Auth.

1 Reply
Highlighted

@bglmarks 

Just a few ideas, not sure if this is really related to the issues you describe or better saying hard to say without traces ;).

 

Possibility 1:

There have been recent changes in the Chrome security model (related to cookie handling) which basically impacts multi Microsoft cloud endpoints.

 

Microsoft article:

https://docs.microsoft.com/en-us/office365/troubleshoot/miscellaneous/chrome-behavior-affects-applic...

 

See recommendations in this article if using ADFS for federated authentication

 

Ping Identity summarizes this:

https://support.pingidentity.com/s/question/0D51W00007WSOmpSAH/google-chrome-vsn-80-new-browser-secu...

 

So depending on your IDP (you mentioned federated authentication) you might have to run some updates.

 

Possibility 2:

Depending on your setup, but in most environments the user/browser requests a Kerberos ticket to authenticate against the federation service. There might be an issue... one easy way to check on the client if there is a valid ticket is the klist command-line tool, which will show you all cached tickets.

If there is no ticket, either the request to the domain controller failed, or some browser settings.. like the IDP url is not in your trusted sites config.. etc.

 

Possibility 3:

You have a conditional access control in place which requires a managed device or AAD hybrid joined device. In this case you need the MS Accounts extension installed in the Chrome browser and the device must be either ADD Hybrid joined, or Intune managed.

 

hth,

 

Claus