Feb 04 2021 04:52 AM
Hi,
this question is initially posted in the answers forum:
Teams / Authentification Fédéré / Client MacOS - Microsoft Community
"We have been having federated connection issues with Teams only since MAC OS X since the last version of the customer. The web connection works without worries.
We get an error code: -1200
We use Azure AD Connect to populate our AzureAD, and federal authentication to authenticate (sic) our users. No problems on Windows Linux or Android iOS customers....
When we search the customer's logs, we find some strange messages:
Wed Feb 03 2021 21:59:59 GMT-0100 (Central European Standard Time) <17495> -- info -- Modern authentication has failed, but you will still be able to log in. The code for your status is 2:-1200. diag:0Wed Feb 03 2021 21:59:59 GMT+0100 (heure normale d'Europe centrale) <17495> -- event -- Microsoft.ADAL.x_client_cpu: 32, Microsoft.ADAL.x_client_os: 10.15.7, Microsoft.ADAL.api_error_code: -1200, Microsoft.ADAL.status: failed, Microsoft.ADAL.authority_type: aad, Microsoft.ADAL.response_time: 22912.654996, Microsoft.ADAL.ntlm: , Microsoft.ADAL.request_id: AF600A59-0E77-4AA0-BE42-74D7CCAE05A6, Microsoft.ADAL.is_successfull: no, Microsoft.ADAL.api_id: 133, Microsoft.ADAL.extended_expires_on_setting: no, Microsoft.ADAL.error_domain: NSURLErrorDomain, Microsoft.ADAL.prompt_behavior: AD_PROMPT_AUTO, Microsoft.ADAL.authority_validation_status: yes, Microsoft.ADAL.x_client_sku: OSX, Microsoft.ADAL.x_client_ver: 4.0.9, Microsoft.ADAL.cache_event_count: 4, Microsoft.ADAL.correlation_id: D747B73D-AD0B-452F-A357-1E8A063C4FC2, Microsoft.ADAL.ui_event_count: 1, vdiMode: 0, eventpdclevel: 2,Wed Feb 03 2021 21:36:02 GMT+0100 (heure normale d'Europe centrale) <17233> -- event -- Microsoft.ADAL.prompt_behavior: AD_PROMPT_AUTO, Microsoft.ADAL.oauth_error_code: , Microsoft.ADAL.response_time: xxx xx xxxx, Microsoft.ADAL.is_successfull: no, Microsoft.ADAL.correlation_id: 8A1CB0A7-D37C-494C-B387-E36C1874E682, Microsoft.ADAL.request_id: F734D42E-4D0F-4F78-93E4-AE8008D604E1, Microsoft.ADAL.api_id: 9, Microsoft.ADAL.api_error_code : AD_ERROR_SERVER_USER_INPUT_NEEDED, Microsoft.ADAL.authority_type: aad, Microsoft.ADAL.extended_expires_on_setting: no, Microsoft.ADAL.x_client_cpu: 32, Microsoft.ADAL.authority_validation_status: yes, Microsoft.ADAL.cache_event_count: 4, Microsoft.ADAL.response_code: 200, Microsoft.ADAL.x_client_sku: OSX, Microsoft.ADAL.x_client_os: 10.15.7, Microsoft.ADAL.x_client_ver: 4.0.9, Microsoft.ADAL.status: failed, Microsoft.ADAL.error_domain: ADAuthenticationErrorDomain, Microsoft.ADAL.http_event_count: 1, vdiMode: 0, eventpcledvel: 2,"
the first reflex was removing cached data in these directories:
~/Library/Caches/com.microsoft.teams
~/Library/Caches/com.microsoft.teams.shipit
~/Library/Application Support/Microsoft/Teams
~/Library/Application Support/Microsoft/Teams/Application Cache/Cache
~/Library/Application Support/Microsoft/Teams/blob_storage
~/Library/Application Support/Microsoft/Teams/Cache
~/Library/Application Support/Microsoft/Teams/databases
~/Library/Application Support/Microsoft/Teams/GPUCache
~/Library/Application Support/Microsoft/Teams/IndexedDB
~/Library/Application Support/Microsoft/Teams/Local Storage
~/Library/Application Support/Microsoft/Teams/tmp
thanks in advance!
Feb 04 2021 06:20 AM
Thanks @mouadcherkaoui for the post !
We are wondering if this is related to any security parameter regarding SSL or something else. The process of authentication is :
Azure -> SAML Portal -> CAS Portal -> SAML Portal -> Azure.
The login process is broken somewhere between Azure and the CAS portal since the login page does not even pop up.
The login window does not allow the use of DevTool or any shortcut to show the URIs that TeamsApp is trying to consult. Nothing in the log files except the errors show in the first post.
A support ticket is opened since last week.
Regards,
GS.
Feb 04 2021 04:06 PM
it's all my pleasure! Welcome!
I think since it is working on other platforms then it should be more about macOS use case, which handles keychains and caches them its way, can you create a user account and see if it works! I shared in the "answers forum" a resolution which in addition to removing cache files suggest to use the Keychain Access "Trousseau d'accès" tools to remove cached credentials there too:
the Niklas Blomqvist answer is also interesting:
hope it helps!
Feb 05 2021 12:38 AM
Hello,
I tried to enable enable Mac Native Notification, but did not change anything.
This is the Auth Menu, I tried clicking all items, one by one, enter my UPN, and It failed.
Also tried to remove all the diferent caches files suggested in the other post, and also deleted any Teams entry in my Keychain, but It did not change anything !
Regards,
GS
Feb 05 2021 03:38 AM - edited Feb 05 2021 03:41 AM
So ...
Error -1200 seems to be related to ATS (App Transport Security) / SSL Options,Ciphers,Versions ....
Our Federated Identity Authentication Server seems to be quite not compliant to the latest SSL Standards ! Since we do host it directly, we asked for a SSL/TLS/ATS fix.
On MacOS you can use the command :
/usr/bin/nscurl --ats-diagnostics https://MySSLServer.FQDN/ (--verbose if needed)
The output is (just changed our server FQDN) :
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://Server.FQDN/, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BCF6DDA1-01D8-4D1E-9E17-46EE9364D4A0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <BCF6DDA1-01D8-4D1E-9E17-46EE9364D4A0>.<1>"
), NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://Server.FQDN/, NSUnderlyingError=0x7febf9c12020 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9858, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9858}}, _kCFStreamErrorCodeKey=-9858}
---
See the error code ? -1200 right like what the Teams client reports... Maybe the last version of Teams Desktop client is more "picky" on security topics.
To be continued !
GS
Feb 05 2021 06:17 AM
here is the explanation of the error code constant AD_ERROR_SERVER_USER_INPUT_NEEDED:
AD_ERROR_SERVER_USER_INPUT_NEEDED
User needs to re-authorize resource usage. This error is raised when access token cannot be obtained without user explicitly re-authorizing, but the developer has called acquireTokenSilentWithResource method. To obtain the token, the application will need to call acquireTokenWithResource after this error to allow the library to give user abitlity to re-authorize (with web UI involved).
ADErrorCodes.h.
which can be confirmed through azure portal in Azure AD monitoring section under Signins with request-id F734D42E-4D0F-4F78-93E4-AE8008D604E1
also it seems to be related to a domain error:
Microsoft.ADAL.extended_expires_on_setting: no, Microsoft.ADAL.error_domain: NSURLErrorDomain, Microsoft.ADAL.prompt_behavior: AD_PROMPT_AUTO, Microsoft.ADAL.authority_validation_status: yes, Microsoft.ADAL.x_client_sku: OSX, Microsoft.ADAL.x_client_ver: 4.0.9, Microsoft.ADAL.cache_event_count: 4, Microsoft.ADAL.correlation_id: D747B73D-AD0B-452F-A357-1E8A063C4FC2,
which confirms your finding, I think taking a look on AzureAD logs can give more informations, also logs from the external authentication provider.
I'm still unable to reproduce the same architecture, I need to go through some documentation!!
Best Regards.
Feb 05 2021 06:40 AM
Feb 05 2021 09:49 AM
@mouadcherkaoui Thanks for the digging !
We are waiting for the appropriate fix to be applied on the authentication portal. no ETA AFAIK.
will keep you informed.
Regards,
GS.
Feb 06 2021 09:42 AM
i have the same issue!
Mar 07 2021 12:23 PM