SSO issues in Word and Excel, but not Outlook

Copper Contributor

Hi,

 

Strange issue started a month ago at a customer site. They use RDS with Office 365 installed. Historically this has been working fine, then it randomly stopped signing in properly for all users. We can't point it down to anything specific however. Network / User / Settings all look good.

 

What is strange is on first login to Outlook, it says it's done SSO but says unlicensed. A simple restart then would show it licensed. We have managed to work round that issue by saving the license folder \appdata\local\microsoft\office\ to the UPD. 

So for this, a month ago, new and existing users would just sign in and it worked. Then something changed and users were being asked to sign in every time. So we have made this change to include \appdata\local to the UPD - now users only see this problem once (a month). While not as good as it was a month ago, it is acceptable.

 

However, and this is what I need help with. SSO is NOT working at all from Word / Excel.

Open Word

Blank Micrsoft Sign In box pops up.

You have to type username and hit enter

You then have to type your password and hit Sign In

That popup then goes away, but at the tope right of Word, it still shows "Sign In".

When you go to Account, it still has a Sign in box.

BUT... if you now close and reopen word, both of those show the signed in user.

 

The problem here is that this doesn't persist over the UPD, so happens every time the users open Word or Excel. As this is used by a business app to open docs, it's actually breaking the process and we need to fix this.

 

I have been having a look at SSO info, because it feels like something fairly low level has changed with how this works, but can't find anything helpful, hence posting here after about a month of searching and trying things.

 

It's not very helpful when you have MS links like: 

How to use Remote Connectivity Analyzer to troubleshoot single sign-on issues for Microsoft 365, Azure, or Intune

https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/active-directory/single-sign-on-issues

 

How to run Remote Connectivity Analyzer to test SSO authentication

To run Remote Connectivity Analyzer to test SSO authentication, follow these steps:

  1. Open a web browser, and then browse to https://www.testconnectivity.microsoft.com/tests/SingleSignOn/input.

 

However, that page just hangs with LOADING written on it. Then on the change notes for this page we see that it was removed in 2022!

 

Version 4.0.15 (October 2022)

  • Removed the Single Sign-on Test now that basic authentication in Exchange Online is being disabled.

 

Quick note on the setup. 

AD is synced to Entra using Entra Connect (Password Hash Sync + SSO enabled), latest version. SSO URLs are added to Internet trusted sites as per setup instructions. Network has been tested and all URLS accessible and working for the user. User is on RDS on fully updated Server 2016 and is on the latest Office 365 app updates.

 

So I guess my first question is:

 

1) Does SSO still work for Word and Excel?

Is it a realistic expectation that the user will sign in to the PC and then Word and Excel will automatically sign in for the user (proper seamless single sign on) like it was doing only a month or so ago?

 

2) What can I do to test and troubleshoot this if it should be working?

I have been trying for a month, so I have already tried a lot of things. But maybe I am missing some tests?

 

Any info to help get this working again (or that it's no longer possible and we missed that instruction from MS) would be ideal.

 

Thanks in advance

 

16 Replies
Hi,

A lot of people are currently experiencing a similar issue with SSO.
It might be due to the fact that Microsoft is after changing the Windows Single sign on experience. In order to be compliant with the Digital Markets Act (DMA) within the European Economic Area (EEA), Microsoft has started altering how Windows operates to align with global regulations like the DMA. One significant change involves the sign-in process for apps on Windows.
If you look at the sign-in logs for the users and see error code 9002341 or similar with the failure reason being "User is required to permit SSO", have a read through my blog post below.

https://www.welkasworld.com/post/tackling-mfa-fatigue-a-solution-for-sign-in-error-code-9002341-user...

Hopefully this helps.
That sounded really hopeful, but sadly it's not that. I don't see any failures in the sign in logs for the Office sign ins.

What is weird is that SSO does work if you launch Outlook twice. Yet it will never automatically work if you launch Word or Excel as many times as you like.

It definitely feels like something is happening with Office itself all of a sudden, or maybe Windows Server... but if that was the case I would expect this to impact more people and see more posts about this. Having done a "in the last month" search for this, very few hits.
Actually, slight amendment to that. SSO works normally from Outlook, it's just the license took 2 logins to pull down until we started saving the \appdata\local\microsoft\office folder.

However, on a new login you can do the following.

1) Start word, get prompted to sign in via pop up.
2) cancel and close Word.
3) Start word, get prompted to sign in via pop up.
4) cancel and close Word.
5) Start word, get prompted to sign in via pop up.
6) cancel and close Word.
7) You can do this all day...
😎 START OUTLOOK. A sign in window pops up and does something automatically and signs you in. (proper seamless SSO).
9) Start Word, it's signed in.

So, SSO is working in Outlook, but not Word or Excel.

SSO also works as expected to share sharepoint.com - login happens seamlessly, nothing to type in etc.

It's just Word and Excel that it doesn't work for.
Sorry my suggestion didn't work. That's a really strange issue your customer is experiencing.
It's either something to do with licensing or perhaps a Windows update if it's all been working fine up until about a month ago.
I would probably try to delete Office365 credentials saved in the credential manager if that's not too much of a hassle, then try and sign into Outlook, once signed in, within the Outlook app go File> Office Account > update license, then restart the app and try and open up Word and Excel afterwards and see if they still go into an authentication loop.
I did hear about Word and Excel issues (not necessarily authentication related) when some of our customers assigned Copilot licenses for example.
Do any of the logs (Entra ID + Event viewer etc.) show any errors/ interrupted sign ins at all?
Hi,

I've tried most if not all of that already. Not about till next week to try anything else but in summary.

Have tried this with a brand new profile (nothing to clear from cred mgr etc). Same problems.

Have tried rolling back updates, again same deal (which surprised me, as I was sure it would be updates).

Copilot is not used in the estate.

There are no errors showing in the logs on the client / RDS / AD / Entra.

I have even tried running Fiddler and WireShark to see if I could find something being blocked, but nothing.

More testing will be done next week. Thanks for your reply.
We're experiencing the same issue. When starting word, there's no SSO experience, we get a login prompt. After which we get notices about usage. If we don't log on office isn't licensed. We also use shared computer licensing. If we log on, that's ok. I would grately appreciate it if you would keep me/us posted on your progress. I'll do the same, if I make any progress.
No progress so far, though the customer has done some testing and it seems like the connected services within Word may not be signing in and that's what's throwing the prompt. More investigation needs doing, but I am not going to get chance till later in the week. But we are building a new server which only had Office on it, none of the other apps or policies, so we can rule a lot of things out quickly.
Ok, I opened a support ticket at Microsoft premium support. I'll keep you updated about the result(s)bif any
We have yet to finish the test build due to illness. Hopefully early this week. @koenwalraevens did you have any joy with MS?
Hi,

I'm waiting for your update as well. I have the same problem, since the last update it is impossible to make SSO work on the applications (however works on the office portal from MS edge). The only thing I noticed is that the "autologon" Kerberos tickets no longer appear once the update is done. SSO does not work on outlook. I don't have any signs of error on my console, I don't even see a connection attempt.
No luck with MS premium support. I opened a ticket for 2 issues (SSO login in outlook and privacy questions after first logon).
Answer from MS Premium Support:
* 'privacy questions after first logon': in Europe it's by design due to new regulations.
* SSO does not 'work' when starting outlook for the first time (we still get a logon prompt even though everything is set up correctly (reg keys)): it is being investigated by the product engineers (PG) and is not a 'big' issue since you can still log on. Hence my case has been closed since it's - in their opinion - not a major issue and is being investigated 'higher up'.
What's at least said ironic is:
- that I have can nog log a case with the product engineers team
- the case I opened with O365 premium support is closed
- I get the feedback from O365 premium support that I have to go by them to get feedback from the product engineers.

So I have to ask myself what the status is of the SSO issue to which the answer - until now - always is 'Our Product Groups have not provided an estimated time of arrival for this issue'.

I guess no support is also a form of support...
Ouch.

For us, Outlook works on 2nd try. So open outlook, it asks to sign in. But just close that without signing in and re-open Outlook and it's signed in.

But Word will never sign in (try 100 times and it won't). Once Outlook is signed in though, Word is too on next try.

For the Privacy pop-up, that should be 100% fixable however as we did that. In the Office GPO template there are some options around additional connected services, which when disabled will prevent that pop-up. Let me see if I can find the setting again quickly...

Please forgive the copy/paste formatting, but try this - it solved the privacy pop-up for us.

Microsoft Office 2016/First Run
Policy Setting
Disable First Run Movie Enabled
Disable Office First Run on application boot Enabled

Microsoft Office 2016/Privacy/Trust Center
Policy Setting
Allow the use of additional optional connected experiences in Office Disabled
Allow the use of connected experiences in Office Enabled
Allow the use of connected experiences in Office that analyze content Enabled
Allow the use of connected experiences in Office that download online content Enabled
Allow users to include screenshots and attachments when they submit feedback to Microsoft Disabled
Allow users to receive and respond to in-product surveys from Microsoft Disabled
Allow users to submit feedback to Microsoft Disabled
Configure the level of client software diagnostic data sent by Office to Microsoft Enabled
Type of diagnostic data: Neither

Policy Setting
Disable Opt-in Wizard on first run Enabled
Enable Customer Experience Improvement Program Disabled
Send personal information Disabled

 

Though if you just want the privacy one, I think the one you are looking for is this one:

Allow the use of additional optional connected experiences in Office Disabled

We have an active ticket with MS Support to see if we can find why Word will no longer do SSO. But given your findings with MS "Support" I am not holding much hope any longer.

Similar here, where it all works fine in Edge and have reconfirmed the whole setup is correct. All good. Outlook does work on 2nd attempt. But Word / Excel / Etc. will never work, so my assumption is something in the Outlook logon / autodiscover process is getting that token and it works from there on restart.

I also see no errors, nothing being blocked and using things like fiddler, I see nothing trying to connect and failing. It's as if Word etc. has straight up given up even trying to do SSO. I assume MS have broke this in an update, because after weeks of testing, this is the only thing left that it can be!

@DivideByZero May I ask where you are based (or rather the company)? I'm swiss and this exact issue is bugging several of our domestic customers right now. I thought that maybe something's off with swiss tenants as they're not an EU member and DMA legislation has not been implemented yet (AFAIK).

Sorry for slow reply, still nothing to report back. Call with MS is currently "being investigated" and no feedback yet.

I, and the customer are both UK based. So also not EU member (any longer).

You could be on the right track, annoyingly we have a lot of American customers but we don't get involved with their O365 / Office stuff, so not sure I'll be able to test that theory. Shame, would be quite easy to test too.

1) New Wnidows profile
2) Ensure web SSO works via Edge etc.
3) Start Word - does it try and fail SSO?

But sadly, I don't have anyway to try that.