SSO in Office 365 ProPlus on Citrix VDA/RDS - Sign in Prompt

%3CLINGO-SUB%20id%3D%22lingo-sub-1504255%22%20slang%3D%22en-US%22%3ESSO%20in%20Office%20365%20ProPlus%20on%20Citrix%20VDA%2FRDS%20-%20Sign%20in%20Prompt%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1504255%22%20slang%3D%22en-US%22%3E%3CP%3ETrying%20to%20get%20some%20understanding%20on%20what's%20considered%20as%20normal%20behavior%20for%20SSO%20on%20Office365%20Apps%20on%20RDS%2FCitrix%20VDA%20(Shared%20Enviro)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnviro%3A%3C%2FP%3E%3CP%3EAzure%20AD%20connect%20-%20Password%20Hash%20Sync%20-%20SSO%20Enabled%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20with%20SSO%20enabled%20it%20would%20allow%20seamless%20integration%20so%20that%20when%20a%20user%20logs%20onto%20a%20computer%2C%20they%20are%20automatically%20signed%20into%20Office365.%26nbsp%3B%20However%20this%20does%20not%20seem%20to%20be%20the%20case%2C%20users%20are%20occasionally%20prompted%20to%20Sign%20In%20for%20Activation.%26nbsp%3B%20Is%20this%20normal%20behavior%20with%20SSO%20Enabled%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20also%20followed%20instructions%20for%26nbsp%3B%3CSPAN%3Eshared%20computer%20activation%20configuration.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpl-pl%2Fdeployoffice%2Foverview-shared-computer-activation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fpl-pl%2Fdeployoffice%2Foverview-shared-computer-activation%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBut%20in%20that%20article%20is%20suggest%20using%20SSO.%26nbsp%3B%20I've%20enabled%20SSO%20via%20this%20instructions%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sso-quick-start%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sso-quick-start%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20suggestions%3F%20Curious%20whether%20Pass-Thru%20Authentication%20should%20be%20used%20rather%20than%20Password%20Hash%20Sync%3B%20however%2C%20both%20can%20enable%20SSO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Trying to get some understanding on what's considered as normal behavior for SSO on Office365 Apps on RDS/Citrix VDA (Shared Enviro)

 

Enviro:

Azure AD connect - Password Hash Sync - SSO Enabled

 

I thought with SSO enabled it would allow seamless integration so that when a user logs onto a computer, they are automatically signed into Office365.  However this does not seem to be the case, users are occasionally prompted to Sign In for Activation.  Is this normal behavior with SSO Enabled?

 

I've also followed instructions for shared computer activation configuration.

https://docs.microsoft.com/pl-pl/deployoffice/overview-shared-computer-activation

But in that article is suggest using SSO.  I've enabled SSO via this instructions:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

 

Does anyone have any suggestions? Curious whether Pass-Thru Authentication should be used rather than Password Hash Sync; however, both can enable SSO.

 

 

 

2 Replies

@damianmark I have the same question, have you got the chance to get an answer anywhere?

Hello,

 

I've the same settup and saw the same problem.

I used the article https://support.citrix.com/article/CTX263465 but it doesn't solve my problem.

 

First of all I disabled MFA in azure ad for this tenant.  I think it's contradicorial to have SSO but enforce to use MFA.  Keep in mind, my customers are very samll ocmpanys and don't have azure ad premium or E3 E5.

Because this limitation, we cannot use trused ip to disable MFA only for the XenApp servers.

 

This is my problem:

When using seamless mode, Office 365 always asked to login and activation isn't stored.

The workaround is to login in a full screen and activate, but after a while, 30 days token, the login screen reappaer.

 

I create a support ticket at Citix (Citrix - 80222815) and they tolled me to add an adiditional regsitry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
  • Name = DisableAADWAM
  • Type = REG_DWORD
  • Value = 1

So SSO was working already (you an test this by https://myapps.microsoft.com/yourdomain).

After this change Office 365 was able to activate and token is update at %localappdata%\microsoft\office\16.0\licensing

 

Beacuse I don't understand the change in the registry (what I'm doing exactly) I created a case with Microsoft (Case 23508770).

I got 9 engineers in a periode of 2 months but nobody understands seamless mode.  The most of them where thinking I'm using office web apps because they where confused by login in with netsclaer/storefront.

After 2 months Microsoft concluded that this was a Citrix only problem and that the 2 registry keys (article + additional) may not been modified because this will disable mondern authentication.

 

Therefor I replied today to the solution of Citrix that there solotuin isn't supported by Microsoft.

I also asked that Citrix will taken this problem to Microsoft because they have an great relationship.

 

Today I use the Citrix solution that isn't supported.

 

With 30 days I will know if it is still working.

(when I remove the idnetity key in the registery and remove the tokens, it seem to work).

 

Kr,

 

Roel Niesen