Windows SfB 2016 authentication issues with MFA active (online only / current channel)

Bronze Contributor

Hi, so I could use some help with this, hopefully someone has the same scenario as us and could tell me if they have issues with Skype for Business 2016 Windows Client as well. Here are the parameters

 

  • Users federated with onPrem ADFS through AAD-Connect
  • Skype for Business Online only (no hybrid)
  • Exchange Online Hybrid (through AAD-Connect)
  • ADAL enabled for Skype Online
    • Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
      • confirmed this is set
  • ADAL enabled for Exchange Online
    • Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
      • confirmed this is set
  • Office 365 Pro Plus Setup is set to current channel
    • current build is: 16.0.7766.2060
  • MFA enabled for my user account

 

The issue is this annoying authentication window. It's in German, but I guess you know it ;)

Image 122.png

Normally, authentication works just fine when you boot up. This usually pops up when I undock my notebook (connection jumps to Corporate WiFi - 802.1x). Then there is just NO way to get rid of that window. I can try to enter my email (=UPN) and my password but this just pops up instantly.

I can try to shutdown, reboot, relog, logout, nothing will work. Next day or so, everything is fine after a clean boot.

 

Any ideas why this popups, even though ADAL is enabled everywhere? The Skype client is the only one I'm having issues with. All other applications work just fine. 

Is there anything I have forgotten to change, possibly on the onPrem ADFS server?

 

6 Replies
Apply the following regkey or in-band provisioning entry...

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\Lync]
"AllowAdalForNonLyncIndependentOfLync"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\15.0\Lync]
"AllowAdalForNonLyncIndependentOfLync"=dword:00000001

or

$a = New-CsClientPolicyEntry -name AllowAdalForNonLyncIndependentOfLync -value "True"
Set-CsClientPolicy -Identity Global -PolicyEntry @{Add=$a}

KB3082803 is the article you can reference.

i had similar issues, but the regkey/in-band provision resolved the problem your are describing also.

Regards

Chet

I've just checked and I believe this should not apply to as we're not using any onPrem Skype Servers or have any pre 2016 windows clients. We're fully online and on the latest client builds.

ADAL should work out of the box for any Office 365 ProPlus 2016 installations.

Ivan,

I was under the same impression, but the keys did address the issue. I'd be curious to know if it did help your situation.

Since the keys do not exists, I assumed they do not apply in our case. Also the affected client version is not listed for our case. There isn't even a "lync" hive under office\16.0 for the Office 365 ProPlus Client.

Hi ivan, create a hive/key at (regedit) location mentioned in the article for SkB 2016

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync

by right click>New>Key> name it Lyn and then create new DWORD named AllowAdalForNonLyncIndependentOfLync, right click modify and set value to 1.