Surface Hub Sign on with Okta - fail

%3CLINGO-SUB%20id%3D%22lingo-sub-86726%22%20slang%3D%22en-US%22%3ESurface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86726%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20Okta%20for%20sign%20in%20to%20our%20environment.%20We've%20just%20gotten%20our%20first%20Surface%20Hub%20and%20it's%20all%20configured%20and%20updated%20to%20current%201703%20version.%20The%20problem%20is%20that%20when%20we%20try%20to%20have%20a%20user%20sign%20on%20we%20hit%20Okta%20and%20it%20sits%20and%20spins.%20Fortunately%20the%20account%20I%20set%20up%20as%20the%20resource%20acount%20is%20using%20domain.onmicrosoft.com%20so%20that%20account%20atleast%20works.%20My%20initial%20outreach%20to%20Okta%20is%20that%20Surface%20Hub%20is%20not%20supported.%20Further%20testing%20with%20my%20normal%20Win10%20PC%20also%20flops%20on%20trying%20to%20sign%20on%20to%20any%20of%20the%20Office%20Mobile%20apps%2C%20this%20is%20actually%20the%20first%20time%20I%20tried%20it%20since%20we've%20not%20had%20a%20need%20to%20use%20the%20mobile%20apps%20in%20our%20environment%20(everyone's%20got%20the%20full%20suite%20installed).%20If%20anyone%20out%20there%20is%20an%20Okta%20user%20and%20knows%20if%20there%20is%20a%20fix%20%2F%20work%20around%20I%20would%20sure%20appreciate%20knowing%20how%20to%20get%20past%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149814%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149814%22%20slang%3D%22en-US%22%3EThis%20is%20the%20best%20response%20to%20OKTA.%20If%20they%20won't%20help%20their%20customers%20by%20ensuring%20their%20product%20works%20with%20vital%20infrastructure%20then%20move%20your%20investment%20elsewhere.%20They'll%20eventually%20wise%20up%2C%20but%20by%20then%20it'll%20be%20too%20late%20most%20likely.%3CBR%20%2F%3E%3CBR%20%2F%3EMoney%20speaks%20louder%20than%20anything%20to%20companies.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149787%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149787%22%20slang%3D%22en-US%22%3EAcrually%203%20times%20since%20you%20have%20to%20use%20your%20email%20address%2C%20then%20windows%20auth%20and%20then%20Okta%20auth.%20OKTA%20continues%20to%20tell%20us%20that%20Surface%20Hub%20support%20won't%20be%20coming%20unless%20the%20feature%20request%20goes%20high%20on%20the%20request%20list.%20They%20say%20they%20aren't%20popular%20enough.%20What%20they%20don't%20realize%20is%20very%20large%20customers%20with%20a%20small%20amount%20of%20Surface%20Hubs%20are%20leaving%20because%20of%20it.%20We%20will%20be%20moving%20off%20as%20well.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149502%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149502%22%20slang%3D%22en-US%22%3E%3CP%3ECorrect.%20Double%20prompted%20currently.%26nbsp%3B%20We%20are%20migrating%20all%20MS%2FO365%2FAzure%20related%20SSO%20from%20Okta%20to%20Azure%20AD%20this%20year%20because%20of%20this%20and%20other%20SSO%20abnormalities%20in%20Intune%2C%20Outlook%2C%20etc.%26nbsp%3B%20Having%20Okta%20in%20the%20middle%20without%20reason%20isn't%20making%20sense%20for%20us%20for%20anything%20MS%20related.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148132%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148132%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20new%20user%20experience%3F%20Are%20you%20double%20prompted%20for%20creds%20when%20you%20sign%20in%3F%20Once%20with%20a%20Windows%20Auth%20grey%20box%20followed%20by%20an%20OKTA%20sign%20in%20web%20page%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142666%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142666%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BYes%2C%20we%20ran%20into%20the%20same%20issue%20with%20both%20the%20Surface%20Hub%20and%20internal%20Win10%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.okta.com%2Fhelp%2FDocumentation%2FKnowledge_Article%2FTroubleshooting_Known_Issues%2FCannot-sign-into-an-Office-2016-application-on-Windows-10%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.okta.com%2Fhelp%2FDocumentation%2FKnowledge_Article%2FTroubleshooting_Known_Issues%2FCannot-sign-into-an-Office-2016-application-on-Windows-10%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20a%20known%20issue%20and%20easily%20remedied%20changing%20your%20IWA%20server(s)%20to%20HTTPS%2FSSL.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96839%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96839%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20remote%20management%20options%20if%20you%20have%20an%20MDM%20solution%2C%20but%20I%20don't%20see%20anything%20in%20there%20about%20ADAL.%20%26nbsp%3BMaybe%20in%20the%20future%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsurface-hub%2Fmanage-settings-with-mdm-for-surface-hub%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsurface-hub%2Fmanage-settings-with-mdm-for-surface-hub%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96149%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96149%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20to%20make%20some%20registry%20settings%20for%20the%20Okta%20authentication%20to%20work%20internally%20(EnableAdal%20%3D%201%20ao)%20I'm%20trying%20to%20find%20out%20how%20to%20make%20those%20settings%20on%20the%20SurfaceHub%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88572%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88572%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20probably%20best%20to%20troubleshoot%20with%20a%20Win%2010%20PC%20with%20the%20Office%20Suite%20and%20SfB%20installed.%20%26nbsp%3BOnce%20you%20get%20that%20working%2C%20Surface%20Hub%20should%20work%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-87875%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-87875%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20we've%20discovered%20that%20works%2C%20I'm%20wondering%20if%20it's%20something%20to%20do%20with%20our%20internal%20Okta%20server%20not%20set%20up%20for%20HTTPS%20authentication.%20I%20have%20the%20same%20problem%20with%20my%20non%20domain%20joind%20windows%2010%20pc%20and%20the%20word%2Fexcel%2Fppt%20apps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-87744%22%20slang%3D%22en-US%22%3ERE%3A%20Surface%20Hub%20Sign%20on%20with%20Okta%20-%20fail%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-87744%22%20slang%3D%22en-US%22%3EI%20have%20a%20case%20open%20with%20MS%20Support%20and%20they%20have%20advise%20to%20connect%20the%20hub%20on%20a%20mobile%20hotspot%20and%20it%20worked%20with%20Okta.%20As%20a%20workaround%2C%20we%20could%20connect%20the%20hub%20on%20a%20VLAN%20with%20external%20access%20so%20that%20it%20connects%20as%20it%20did%20on%20the%20mobile%20hotspot.%3C%2FLINGO-BODY%3E
Occasional Contributor

We are using Okta for sign in to our environment. We've just gotten our first Surface Hub and it's all configured and updated to current 1703 version. The problem is that when we try to have a user sign on we hit Okta and it sits and spins. Fortunately the account I set up as the resource acount is using domain.onmicrosoft.com so that account atleast works. My initial outreach to Okta is that Surface Hub is not supported. Further testing with my normal Win10 PC also flops on trying to sign on to any of the Office Mobile apps, this is actually the first time I tried it since we've not had a need to use the mobile apps in our environment (everyone's got the full suite installed). If anyone out there is an Okta user and knows if there is a fix / work around I would sure appreciate knowing how to get past this.

10 Replies
I have a case open with MS Support and they have advise to connect the hub on a mobile hotspot and it worked with Okta. As a workaround, we could connect the hub on a VLAN with external access so that it connects as it did on the mobile hotspot.

Yes, we've discovered that works, I'm wondering if it's something to do with our internal Okta server not set up for HTTPS authentication. I have the same problem with my non domain joind windows 10 pc and the word/excel/ppt apps.

It's probably best to troubleshoot with a Win 10 PC with the Office Suite and SfB installed.  Once you get that working, Surface Hub should work as well.

We had to make some registry settings for the Okta authentication to work internally (EnableAdal = 1 ao) I'm trying to find out how to make those settings on the SurfaceHub 

There are remote management options if you have an MDM solution, but I don't see anything in there about ADAL.  Maybe in the future?

 

https://docs.microsoft.com/en-us/surface-hub/manage-settings-with-mdm-for-surface-hub 

 Yes, we ran into the same issue with both the Surface Hub and internal Win10 users.

 

https://support.okta.com/help/Documentation/Knowledge_Article/Troubleshooting_Known_Issues/Cannot-si...

 

It's a known issue and easily remedied changing your IWA server(s) to HTTPS/SSL.

What is the new user experience? Are you double prompted for creds when you sign in? Once with a Windows Auth grey box followed by an OKTA sign in web page?

Correct. Double prompted currently.  We are migrating all MS/O365/Azure related SSO from Okta to Azure AD this year because of this and other SSO abnormalities in Intune, Outlook, etc.  Having Okta in the middle without reason isn't making sense for us for anything MS related.

Acrually 3 times since you have to use your email address, then windows auth and then Okta auth. OKTA continues to tell us that Surface Hub support won't be coming unless the feature request goes high on the request list. They say they aren't popular enough. What they don't realize is very large customers with a small amount of Surface Hubs are leaving because of it. We will be moving off as well.
This is the best response to OKTA. If they won't help their customers by ensuring their product works with vital infrastructure then move your investment elsewhere. They'll eventually wise up, but by then it'll be too late most likely.

Money speaks louder than anything to companies.