Forum Discussion

Joshua Widup's avatar
Joshua Widup
Brass Contributor
Jan 18, 2017

S4B Mac ADFS failing

Hey everybody - after the most recent updates the client won't log in properly. We are running Office 365 with ADFS as the login provider. The client attempts the login and then passes back what looks...
client
Instant Messaging & Presence
Bas van Rooij's avatar
Bas van Rooij
Copper Contributor

Hi David,

 

Thanks for your reply!

Around the same time we got response from Microsoft support with a few possible solutions.

We followed the 2nd option as you also did.

 

Below is teh response we got from Microsoft support:

 

1. Please enable the password authentication for the intranet will fix this issue.

You can access this by editing the primary authentication policy from the AD FS snapin (under Authentication Policies).

 

2. Remove Mozilla 5.0 from the supported user agents under ADFS properties

On the primary ADFS server 

$WIA = Get-AdfsProperties

$WIA.WIASupportedUserAgents

 

Most probably the list of agents will look like this:

MSAuthHost/1.0/In-Domain

MSIE 6.0

MSIE 7.0

MSIE 8.0

MSIE 9.0

MSIE 10.0

Trident/7.0

MSIPC

Windows Rights Management Client

Mozilla/5.0

Edge/12

 

You can remove the Mozilla 5.0 from the list of supported user agents by running this command on the ADFS server, and not including the Mozzile/5.0:

Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client")

You can also check this link here:
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia 

 

3. Workaround if you want to keep Mozilla/5.0 between the user agents

If removing the "Mozilla/5.0" does not seem to be a viable solution as you may need it for all users running Firefox or any other browser/software using that agent and that should benefit from WIA and its advantages.

What we've found on our side is more related to the ability of the Mac to get a valid Kerberos ticket in the AD domain prior to open Skype for the first time.

Indeed, we successfully reproduced (and solved) the issue by using a mac not connected to the network at first, then opening a session, get network, then launch Skype => You have the issue as no ticket is listed in the klist (or if you use an account in the MacOS session that is not linked to AD, even if you sign in to Skype with an AD account).

If you open a session on the Mac with network and with a valid AD account, you get a valid ticket and the Skype opens naturally after you provided email+password

Arunkumar K T's avatar
Arunkumar K T
Copper Contributor
Jun 09, 2017

Microsoft has acknowledged the issue.

 

Skype for Business on Mac fails to sign-in

(Skype for Business Server Online, Exchange Server Online, Identity managed on-premises with ADFS 3.0 and WIA authentication enabled for wiasupporteduseragents-Mozilla/5.0)

Workaround:

  1. Remove “Mozilla/5.0” from the WIASupportedUserAgents parameter in AdfsProperties. Essentially, you will need to:

    1. Run Get-AdfsProperties | select wiasupporteduseragents and get the output.

    2. Then remove _only_ “Mozilla/5.0” from the output.

    3. Then run Set-AdfsProperties -WIASupportedUserAgents with the output from step b.

  2. Revert back to using Lync for Mac 2011.

 

https://support.office.com/en-us/article/Known-issues-Skype-for-Business-on-Mac-494ac5d5-50be-4aa7-8f5a-669c71c98c9a