Teams / Federation Authentication / MacOS X Customer

Brass Contributor

Hi,

 

this question is initially posted in the answers forum:

Teams / Authentification Fédéré / Client MacOS - Microsoft Community


"We have been having federated connection issues with Teams only since MAC OS X since the last version of the customer. The web connection works without worries.

We get an error code: -1200

We use Azure AD Connect to populate our AzureAD, and federal authentication to authenticate (sic) our users. No problems on Windows Linux or Android iOS customers....

When we search the customer's logs, we find some strange messages:
Wed Feb 03 2021 21:59:59 GMT-0100 (Central European Standard Time) <17495> -- info -- Modern authentication has failed, but you will still be able to log in. The code for your status is 2:-1200. diag:0Wed Feb 03 2021 21:59:59 GMT+0100 (heure normale d'Europe centrale) <17495> -- event -- Microsoft.ADAL.x_client_cpu: 32, Microsoft.ADAL.x_client_os: 10.15.7, Microsoft.ADAL.api_error_code: -1200, Microsoft.ADAL.status: failed, Microsoft.ADAL.authority_type: aad, Microsoft.ADAL.response_time: 22912.654996, Microsoft.ADAL.ntlm: , Microsoft.ADAL.request_id: AF600A59-0E77-4AA0-BE42-74D7CCAE05A6, Microsoft.ADAL.is_successfull: no, Microsoft.ADAL.api_id: 133, Microsoft.ADAL.extended_expires_on_setting: no, Microsoft.ADAL.error_domain: NSURLErrorDomain, Microsoft.ADAL.prompt_behavior: AD_PROMPT_AUTO, Microsoft.ADAL.authority_validation_status: yes, Microsoft.ADAL.x_client_sku: OSX, Microsoft.ADAL.x_client_ver: 4.0.9, Microsoft.ADAL.cache_event_count: 4, Microsoft.ADAL.correlation_id: D747B73D-AD0B-452F-A357-1E8A063C4FC2, Microsoft.ADAL.ui_event_count: 1, vdiMode: 0, eventpdclevel: 2,Wed Feb 03 2021 21:36:02 GMT+0100 (heure normale d'Europe centrale) <17233> -- event -- Microsoft.ADAL.prompt_behavior: AD_PROMPT_AUTO, Microsoft.ADAL.oauth_error_code: , Microsoft.ADAL.response_time: xxx xx xxxx, Microsoft.ADAL.is_successfull: no, Microsoft.ADAL.correlation_id: 8A1CB0A7-D37C-494C-B387-E36C1874E682, Microsoft.ADAL.request_id: F734D42E-4D0F-4F78-93E4-AE8008D604E1, Microsoft.ADAL.api_id: 9, Microsoft.ADAL.api_error_code : AD_ERROR_SERVER_USER_INPUT_NEEDED, Microsoft.ADAL.authority_type: aad, Microsoft.ADAL.extended_expires_on_setting: no, Microsoft.ADAL.x_client_cpu: 32, Microsoft.ADAL.authority_validation_status: yes, Microsoft.ADAL.cache_event_count: 4, Microsoft.ADAL.response_code: 200, Microsoft.ADAL.x_client_sku: OSX, Microsoft.ADAL.x_client_os: 10.15.7, Microsoft.ADAL.x_client_ver: 4.0.9, Microsoft.ADAL.status: failed, Microsoft.ADAL.error_domain: ADAuthenticationErrorDomain, Microsoft.ADAL.http_event_count: 1, vdiMode: 0, eventpcledvel: 2,"

the first reflex was removing cached data in these directories:

 

~/Library/Caches/com.microsoft.teams
~/Library/Caches/com.microsoft.teams.shipit
~/Library/Application Support/Microsoft/Teams
~/Library/Application Support/Microsoft/Teams/Application Cache/Cache
~/Library/Application Support/Microsoft/Teams/blob_storage
~/Library/Application Support/Microsoft/Teams/Cache
~/Library/Application Support/Microsoft/Teams/databases
~/Library/Application Support/Microsoft/Teams/GPUCache
~/Library/Application Support/Microsoft/Teams/IndexedDB
~/Library/Application Support/Microsoft/Teams/Local Storage
~/Library/Application Support/Microsoft/Teams/tmp

 

thanks in advance!

 

 
 
 
9 Replies

Thanks @mouadcherkaoui for the post !

 

We are wondering if this is related to any security parameter regarding SSL or something else. The process of authentication is : 

 

Azure -> SAML Portal -> CAS Portal -> SAML Portal -> Azure.

 

The login process is broken somewhere between Azure and the CAS portal since the login page does not even pop up.

 

The login window does not allow the use of DevTool or any shortcut to show the URIs that TeamsApp is trying to consult. Nothing in the log files except the errors show in the first post.

 

A support ticket is opened since last week.

 

Regards,

GS.

@guenaelsanchez 

it's all my pleasure! Welcome!

 

I think since it is working on other platforms then it should be more about macOS use case, which handles keychains and caches them its way, can you create a user account and see if it works! I shared in the "answers forum" a resolution which in addition to removing cache files suggest to use the Keychain Access "Trousseau d'accès" tools to remove cached credentials there too:

 

https://answers.microsoft.com/en-us/msteams/forum/all/microsoft-teams-showing-white-screen-when-tryi...

the Niklas Blomqvist answer is also interesting: 

  • Start Teams
  • Click the Teams app in the dock 5 times
  • Click the "Development" option in the menu bar
  • In that menu you have an entry called "Auth". I tried clicking all the "Call ipc" for different auth methods (I can't reproduce the menu as of right now, since I'm logged in and there are additional steps to see those entries when logged in)
  • However, BEFORE you try any Auth-entries, go to "hooks" and "enableMacNativeNotifications" (I think the name was) to get native macOS notifications :) 

hope it helps!

 

Hello,

 

I tried to enable enable Mac Native Notification, but did not change anything.

 

guenaelsanchez_0-1612512847143.png

 

This is the Auth Menu, I tried clicking all items, one by one, enter my UPN, and It failed.

 

Also tried to remove all the diferent caches files suggested in the other post, and also deleted any Teams entry in my Keychain, but It did not change anything ! 

 

Regards,

GS

 

 

So ...

 

Error -1200 seems to be related to ATS (App Transport Security) / SSL Options,Ciphers,Versions ....

 

Our Federated Identity Authentication Server seems to be quite not compliant to the latest SSL Standards ! Since we do host it directly, we asked for a SSL/TLS/ATS fix.

 

On MacOS you can use the command : 

/usr/bin/nscurl --ats-diagnostics  https://MySSLServer.FQDN/ (--verbose if needed)

 

The output is (just changed our server FQDN) : 

Default ATS Secure Connection

---

ATS Default Connection

ATS Dictionary:

{

}

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://Server.FQDN/, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BCF6DDA1-01D8-4D1E-9E17-46EE9364D4A0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(

    "LocalDataTask <BCF6DDA1-01D8-4D1E-9E17-46EE9364D4A0>.<1>"

), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://Server.FQDN/, NSUnderlyingError=0x7febf9c12020 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9858, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9858}}, _kCFStreamErrorCodeKey=-9858}

---

 

See the error code ? -1200 right like what the Teams client reports... Maybe the last version of Teams Desktop client is more "picky" on security topics.

 

To be continued !

 

GS

 

Hi @guenaelsanchez 

 

here is the explanation of the error code constant AD_ERROR_SERVER_USER_INPUT_NEEDED:

AD_ERROR_SERVER_USER_INPUT_NEEDED

User needs to re-authorize resource usage. This error is raised when access token cannot be obtained without user explicitly re-authorizing, but the developer has called acquireTokenSilentWithResource method. To obtain the token, the application will need to call acquireTokenWithResource after this error to allow the library to give user abitlity to re-authorize (with web UI involved).

ADErrorCodes.h.

 

which can be confirmed through azure portal in Azure AD monitoring section under Signins with request-id F734D42E-4D0F-4F78-93E4-AE8008D604E1

also it seems to be related to a domain error:

 

Microsoft.ADAL.extended_expires_on_setting: no, Microsoft.ADAL.error_domain: NSURLErrorDomain, Microsoft.ADAL.prompt_behavior: AD_PROMPT_AUTO, Microsoft.ADAL.authority_validation_status: yes, Microsoft.ADAL.x_client_sku: OSX, Microsoft.ADAL.x_client_ver: 4.0.9, Microsoft.ADAL.cache_event_count: 4, Microsoft.ADAL.correlation_id: D747B73D-AD0B-452F-A357-1E8A063C4FC2,

 

which confirms your finding, I think taking a look on AzureAD logs can give more informations, also logs from the external authentication provider.

 

I'm still unable to reproduce the same architecture, I need to go through some documentation!!

 

Best Regards.

 
 
I'm thinking about using the developer tools console to use ADAL to invoke acquireTokenWithResource() method to force the Signin popup !!!

@mouadcherkaoui Thanks for the digging ! 

 

We are waiting for the appropriate fix to be applied on the authentication portal. no ETA AFAIK.

 

will keep you informed.

Regards,

GS.

@guenaelsanchez 

i have the same issue!

I discovered exact the same problem - always "white screen" and Error 1:403 when closing MS-TEAMS !

In the Log-File always "AD_ERROR_SERVER_USER_INPUT_NEEDED" occurs as the "aquireTokenSilentwithRessource" gets called instead of "aquireTokenwithRessource" !!

I tried everything -> delete/reinstall TEAMS, deleting keychaines, caches, library/Application Support" as mentioned in near every article when running into issues with MS-TEAMS on MacOS.

finally I found the problem: we use "NoMAD" for managing our AD Kerberos Tickets on our company Mac's - when logged into "NoMAD" with my AD-User I don't get the "Prompt" for re-authenticating within MS-Teams - if I don't login into "NoMAD" everything works as it should - first starting MS-Teams and ONLY AFTERWARDS logging into "NoMAD" !!!

this issue caused me all my nerves, as I could only use the browser based Version of MS-Teams and not the DesktopVersion.

This leads to the question if this is a bug only with NoMAD and MS-Teams, or with every AD-Helper installed to MacOS ???