S4B Mac ADFS failing

Brass Contributor
Hey everybody - after the most recent updates the client won't log in properly. We are running Office 365 with ADFS as the login provider. The client attempts the login and then passes back what looks like an attempt at the modern authentication in a new window but that spins and times out. This is happening for everybody that is using the client on Mac. Any ideas?
10 Replies
Haven't. Aren't you able to login at all or intermittent?

It seems to be failing for anybody that has upgraded to the latest version on Mac.  I did some more research into this today and we have ADFS rules that permit login only from within the network.  If I am connected to the internal network I get a blank pop-up from Skype (looks like it's attempting to load a page) and it will spin forever.  I decided to pop off the internal network and get on an external and that blank page then refreshes and loads the external ADFS authentication page.  It would seem that there's some issue resolving it internally.  I may need to check into our DNS.

Adding more to this...

 

I noticed that Safari is asking for a certificate for our internal ADFS.  This may be a byproduct of the way we have our stuff set up as FireFox isn't prompting for the same.  My presumption is that Skype is using Safari to do the load out and when it's getting the transition of ADFS prompting for a certificate that it's just not painting the page and discarding the prompts.  That's likely why the page isn't loading and the client isn't able to log in properly. 

 

I'll have to do some more digging as even changing the default browser on the OS won't get past it.  I'm thinking it may be calling it by default.  Or I could be chasing ghosts.

So I managed to dig deeper on this - I'm not a massive traffic analyzer but I was able to see where things seem to be failing.  That same page that loads out as spinning or blank on the internal network paints as the ADFS external login page when off the network.  So I set up a trace to watch Skype as it's attempting to log in on the internal network and it's the ADFS response to the internal auth request. 

 

I updated all the way to the latest fast insider build of Office/Skype this morning and it's the same thing.  Something within Skype isn't handling that ADFS response in the last few builds.  My guess at this point is that I have to open a premier ticket - anyone else seeing this issue at all?

Hi!

Was this issue fixed?

Please share the fix if any.

 

Regards

Arun

We are facing the same issue at our Mac clients.

Was anyone able to resolve it?

Sorry to say that it hasn't been fixed...I haven't had the time to chase it with support either.

Hi,

We had an issue with S4B on Max OS not signing in. The user experience was a white login box appearing and then nothing else. No errors.

Tried updating Office and installing the March 2017 update for Skype.

 

Environment is ADFS on Server 2016 with IWA and Forms Based Authentication enabled.

Modern Authentication enabled in both Exchange Online and Skype for Business and no users have MFA enabled.

 

I think what broke it was adding the User Agent String 'Mozilla/5.0' to my ADFS WIASupportedUserAgents property

 

The value wasn't detailed enough to cope with non Windows clients and was therefore expecting IWA from the Macs.

 

Amending the value to 'Mozilla/5.0 (Windows NT)' maintains IWA for Windows platform and FBA for non Windows which resolved the issue.

 

There are plenty of other variables which could be at play with this issue but this sorted it for me.

The clincher was this excellent article on ADFS, IWA and FBA found here

 

https://blog.msresource.net/2015/12/11/ad-fs-enhanced-protection-for-authentication-epa-chrome-and-i...

Hi David,

 

Thanks for your reply!

Around the same time we got response from Microsoft support with a few possible solutions.

We followed the 2nd option as you also did.

 

Below is teh response we got from Microsoft support:

 

1. Please enable the password authentication for the intranet will fix this issue.

You can access this by editing the primary authentication policy from the AD FS snapin (under Authentication Policies).

 

2. Remove Mozilla 5.0 from the supported user agents under ADFS properties

On the primary ADFS server 

$WIA = Get-AdfsProperties

$WIA.WIASupportedUserAgents

 

Most probably the list of agents will look like this:

MSAuthHost/1.0/In-Domain

MSIE 6.0

MSIE 7.0

MSIE 8.0

MSIE 9.0

MSIE 10.0

Trident/7.0

MSIPC

Windows Rights Management Client

Mozilla/5.0

Edge/12

 

You can remove the Mozilla 5.0 from the list of supported user agents by running this command on the ADFS server, and not including the Mozzile/5.0:

Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client")

You can also check this link here:
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-intranet... 

 

3. Workaround if you want to keep Mozilla/5.0 between the user agents

If removing the "Mozilla/5.0" does not seem to be a viable solution as you may need it for all users running Firefox or any other browser/software using that agent and that should benefit from WIA and its advantages.

What we've found on our side is more related to the ability of the Mac to get a valid Kerberos ticket in the AD domain prior to open Skype for the first time.

Indeed, we successfully reproduced (and solved) the issue by using a mac not connected to the network at first, then opening a session, get network, then launch Skype => You have the issue as no ticket is listed in the klist (or if you use an account in the MacOS session that is not linked to AD, even if you sign in to Skype with an AD account).

If you open a session on the Mac with network and with a valid AD account, you get a valid ticket and the Skype opens naturally after you provided email+password

Microsoft has acknowledged the issue.

 

Skype for Business on Mac fails to sign-in

(Skype for Business Server Online, Exchange Server Online, Identity managed on-premises with ADFS 3.0 and WIA authentication enabled for wiasupporteduseragents-Mozilla/5.0)

Workaround:

  1. Remove “Mozilla/5.0” from the WIASupportedUserAgents parameter in AdfsProperties. Essentially, you will need to:

    1. Run Get-AdfsProperties | select wiasupporteduseragents and get the output.

    2. Then remove _only_ “Mozilla/5.0” from the output.

    3. Then run Set-AdfsProperties -WIASupportedUserAgents with the output from step b.

  2. Revert back to using Lync for Mac 2011.

 

https://support.office.com/en-us/article/Known-issues-Skype-for-Business-on-Mac-494ac5d5-50be-4aa7-8...