Office authentication sign-in at each logon when logging onto an RDS 2019, in a 6 server farm.

Question

I’ve done a thorough investigation into this issue and found a few anomalies within the registry.

Non working Account:

Working Account:

Which you can match between the different entries. I completely removed the identities registry key HKCU\Software\Microsoft\Office\16.0\Common\Identity, when re-created it uses the information. I have manually updated the above registry keys, with the correct information. Even tried recreating a new profile then exporting the working registry keys into a non-working account, you still get prompted for a password at logon to the RDS. There are specific SID’s that get tied to an account, which I have noticed in a few places within the registry e.g. HKCU\Software\Microsoft\Office\16.0\Common\Identity\ServiceAuthInfoCache\CredStoreKeyToAuthScheme and a few other places that I’m aware and some that I am not.

There is a folder under C:\Users\User\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker which gets removed by design at logoff. If I copy the TokenBroker before logoff and paste it back into the above location I am able to login without been prompted for credentials. Some how the tokenbroker folder is linked to the above working registry on creation and gets created correctly at login. For the non-working registry it get's created with incorrect information or doesn't get created at all.

Problem has been solved by creating a new user profile disk (UPD) and copying the users data to the newly created UPD. Which takes +-4 days a user.

There currently 180 users within the server farm so re-creating all users UPD isn't an option.

If I do the below:

Go to the registry editor (Win+R; regedit)

go to HKEY_CURRENT_USER -> Software -> Microsoft ->Office -> 16.0 ->Common -> Identity

Inside "Identity", create a new REG_DWORD value called "EnableADAL" and leave the value at 0

All users work fine. However, I cannot disable modern authentication.

Answer 1

@Greenfever

According to my research, the previous office authentication problem was mostly caused by third-party software on your Remote Desktop Session Host (RDSH).
It is recommended to perform a clean boot on your Remote Desktop Session Host (RDSH) and then see if the problem still exists.
For detailed steps, you could refer to How to perform a clean boot in Windows.

Any questions, please post back.

Regards,
Erin

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,

we also have this issue on RDS environment with Server 2019 and Office 365. The RDS 2019 farm is freshly installed and the issue is since the beginning. It is also discussed here:

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook-mso_win10-mso_o365b/permanent-fix-for-outlook-need-password-prompt/ebc0a8b8-cd24-4bea-857c-eeedac165a60?rtAction=1611743082120

ATM there is no fix or statement from Microsoft. Disabling WAM is not recommended - alternative solution is to clean the Microsoft.AADBroker folder - then login works until problem occurs again (mostly 2-3 logins).

Answer 3

Hi,

Still same problem here and problems with WAM on server 2019 RDSH.
Does anybody has the information about a permanent fix?
Is Microsoft working on this issue?

Thanks and regards.

Answer 4

Nov 30th 2023 problem still exists, opened a ticket with MS and only working solution is the one below

Navigate to this path HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

• Inside "Identity", create a new REG_DWORD value called "DisableADALatopWAMOverride" and leave the value at 1
• Inside "Identity", create a new REG_DWORD value called "DisableAADWAM" and leave the value at 1

Not recommended but here is the reply from MS

"The reason we do not recommend it is because of some users with Multifactor Authentication. Most times it can cause sign-in to Bypass MFA"

Hope this helps someone or eventually a better fix that uses WAM

Answer 5

I had the same Problem with Outlook not opening due to a missing folder in the %appdata% environment of the UserProfile. Been troubleshooting for over a week now trying to find a fix for this problem, since the internet is full of problems regarding the Microsoft.AAD.BrokerPlugin. Solution for me was adding a little Script that checks if the specific folder is created at login or not and creates the folder if it doesnt exist. The folder is : %LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts

The Problem exactly happens when starting Outlook. Outlook tries to write in that folder but if the folder is not available it runs into a timeout and states "Profile cannot be opened etc..".

Furthermore there is a Fix for the missing Broker Plugin on some UserProfiles and reinstalling the Broker Plugin mostly did the trick:

$brokerService = Get-AppxPackage Microsoft.AAD.BrokerPlugin

if($brokerService -eq $null){
    Write-Host "Broker service missing - reinstalling" -ForegroundColor Yellow
    Add-AppxPackage -Register "C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode
}Else{Write-Host "Broker service found - exiting now" -ForegroundColor Green}

Could be a very simple solution to a very big problem!