Outlook prompts for password using ADFS 3.0

MVP

Hi all,

 

I have an environment with Exchange 2010 in a hybrid setup with Office 365.
We have ADFS 3.0 running which is working fine when, for example, we logon to portal.office.com.
We migrated a few test users to Office 365/ Exchange. That is all working fine.


One thing I see and I wonder if that is normal behaviour with AD FS;
When a migrated user opens Outlook 2016 (fully patched) for the first time on a domain joined Windows 10 PC on the internal network, he is asked for his password with a screen for basic authentication. Is expected a SSO experience, because modern authentication is turned on for Exchange and did this setting on the ADFS Server Enable-AdfsEndpoint -TargetAddressPath "/adfs/services/trust/13/windowstransport" 
It is probably hitting the old Exchange 2010 first when running the autodiscover process, which is causing the prompt. The autodiscover points at the internal Exchange server and not to O365, becuase are other mailboxes are on-prem.

Is their a solution to prevent this behaviour of Office 2016?

Thank you!

11 Replies
Hi,

Yes I did. Adfs itself works fine by using the browser, but only not when using Outlook 2016

For real SSO experience in Outlook you need Modern authentication enabled. Otherwise you get the basic auth prompt, that's the expected behavior. If you want more info check the AD FS whitepapers: https://www.microsoft.com/en-us/download/details.aspx?id=36391

Oh, and Modern auth needs to be enabled both client-side and server-side.

Modern auth is enabled for Exchange Online and using Outlook 2016, it is used by Outlook.
This is set on ADFS: Enable-AdfsEndpoint -TargetAddressPath “/adfs/services/trust/13/windowstransport”

When I use the hosts file on a workstation to point autodiscover to autodiscover.outlook.com everything is working as expected, with SSO experience, not asking for a password.
So I think the behavior is caused because autodiscover points to our on-prem Exchange server and during the autodiscover process it hits this server first. But I cannot find an article which agrees with my thought, or a solution/ workaround for this.

It should be the expected behavior in hybrid setup. Autodiscover will and should point to your on-premises Exchange setup.

 

 

This article here talks about the autodiscover lookup process in detail: https://blogs.technet.microsoft.com/rmilne/2015/04/29/office-365-autodiscover-lookup-process/

It is because of the autodiscover cache which points the client to the old Exchange 2010 server. When I delete the autodiscover cache (manually) from the users profile and reboot the device I don`t see the basic auth popup and the user is logged on seamless to Outlook.
I have also setup a few test users on the Exchange 2016 server, when they are moved to Office 365, they don`t see the popup, just restart Outlook and they are logged on to Outlook.


So when I move users at night and the next morning the users starts his device, the autodiscover cache should be renewed and don`t see a popup.

Thanks Vasil! This solved my problem. I enabled the modern auth on O365 tenant but not on my Outlook 2013 client. After doing that no prompts anymore and it worked. Outlook 2016 has this already setup and now checking the need for Outlook 2010.

 

https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-dev...

Office 2010 doesn't support Modern authentication though. It might be better if you describe your specific issue in a separate post.

Hi peter, do you get SSO to your internal Autodiscover website? if not then that's the problem, add your internal Autodiscover website to local intranet sites.

@Peter Klapwijk Although this is an old article. I just wanted to add my findings as i have experienced exactly this.

 

What solved my problem was https://support.microsoft.com/en-gb/help/3126599/outlook-prompts-for-password-when-modern-authentica...

 

This fix was:

  1. HKEY_CURRENT_USER\Software\Microsoft\Exchange
  2. On the Edit menu, point to New, and then click DWORD Value.
  3. Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
  4. Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
  5. In the Value data box, type 1, and then click OK.