Azure PTA & Seamless SSO - Stagged Rollout - Keeps Prompting for user name and password

Question

Azure PTA & Seamless SSO - Stagged Rollout - Keeps Prompting for user name and password

muraamar 21

Hi, We have enabled Azure PTA with Seamless SSO Via Staged rollout. followed the article below to implement the same

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

SSO is seamless when accessing the https://myapps.microsoft.com site from windows 10 machines. However, the SSO experience is not working as expected from Win 7 and Win 2016 Citrix VDI's (domain-joined machines).

Win7 - Prompts for user name and password. when accessed from both IE and chrome
Win 2016 - IE prompts for the user name and straight to the application without any password prompt. Chrome is prompting for both the user name and password.

Has anyone seen this issue and what resolution have you used?

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-01-25T23:28:12.683+00:00

@muraamar
Thank you for the detailed post!

When going to the MyApps portal from a browser other than IE or chrome, are you seeing any issues? Or does SSO work as expected any other time, when using your Windows 7/2016 machines?

Based off the SSO working with your Windows 10 machines and not Windows 7 or 2016, I believe you might be seeing this issue because one of the pre-requisites is "if you are deploying Hybrid Azure AD or Azure AD join, you must upgrade to Windows 10 1903 update".

I hope this helps! If you have any other questions, please let me know.
Thank you for your time and patience.
muraamar 21 Reputation points

2021-01-26T09:42:49.287+00:00

Hi James,

Thank you for your time checking this.

To answer your first question: IE and chrome are the only approved and available browsers in our win 7 and 2016 environment. We have the edge in our windows 10 environment, and SSO is working correctly there.

Recently we have enabled and updated the AuthServerWhitelist and AuthNegotiateDelegateWhitelist from the chrome with (https://autologon.microsoftazuread-sso.com). Still no luck.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-01-26T19:29:22.217+00:00
@muraamar
Thank you for the detailed response! I was able to find a post similar to yours that was answered by one of our AzureAD PM's, that might help with your issue.

Solution Provided:
Install the Windows 10 accounts extension to Chrome

Retry operation (not in incognito mode) For windows 7, you need to have workplacejoin msi installed. Refer: https://www.microsoft.com/en-us/download/details.aspx?id=53554

If this doesn't help resolve your issue, please let me know.
Thank you again for your time and patience throughout this issue.
muraamar 21 Reputation points

2021-01-28T07:48:15.437+00:00

Thanks James, let me check these options and get back to you.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-01-28T18:02:46.903+00:00

@muraamar
Thank you for the follow up!

I look forward to hearing from you, and if you require additional support, please feel free to add to the other thread so you can work with our AzureAD PM. Or if you'd like our support engineers to take a closer look into your environment, please let me know.

Thank you again for your time and patience!
muraamar 21 Reputation points

2021-01-29T09:29:53.85+00:00

Hi James,

Thank you!

With "Windows 10 account Chrome extension" on win 10 machine Myapps page loaded without even prompting user name /UPN and the password.

However SSO experience fails with "Windows 10 account Chrome extension" on win 2016 HSD machine.

I am still waiting for a win7 test results and Happy to work with the support engineer.

Thank you again, and appreciate all your help here.

1 answer

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-01-25T23:28:12.683+00:00

@muraamar
Thank you for the detailed post!

When going to the MyApps portal from a browser other than IE or chrome, are you seeing any issues? Or does SSO work as expected any other time, when using your Windows 7/2016 machines?

Based off the SSO working with your Windows 10 machines and not Windows 7 or 2016, I believe you might be seeing this issue because one of the pre-requisites is "if you are deploying Hybrid Azure AD or Azure AD join, you must upgrade to Windows 10 1903 update".

I hope this helps! If you have any other questions, please let me know.
Thank you for your time and patience.
muraamar 21 Reputation points

2021-01-26T09:42:49.287+00:00

Hi James,

Thank you for your time checking this.

To answer your first question: IE and chrome are the only approved and available browsers in our win 7 and 2016 environment. We have the edge in our windows 10 environment, and SSO is working correctly there.

Recently we have enabled and updated the AuthServerWhitelist and AuthNegotiateDelegateWhitelist from the chrome with (https://autologon.microsoftazuread-sso.com). Still no luck.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-01-26T19:29:22.217+00:00

@muraamar
Thank you for the detailed response! I was able to find a post similar to yours that was answered by one of our AzureAD PM's, that might help with your issue.

Solution Provided:
Install the Windows 10 accounts extension to Chrome

Retry operation (not in incognito mode) For windows 7, you need to have workplacejoin msi installed. Refer: https://www.microsoft.com/en-us/download/details.aspx?id=53554

If this doesn't help resolve your issue, please let me know.
Thank you again for your time and patience throughout this issue.
muraamar 21 Reputation points

2021-01-28T07:48:15.437+00:00

Thanks James, let me check these options and get back to you.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-01-28T18:02:46.903+00:00

@muraamar
Thank you for the follow up!

I look forward to hearing from you, and if you require additional support, please feel free to add to the other thread so you can work with our AzureAD PM. Or if you'd like our support engineers to take a closer look into your environment, please let me know.

Thank you again for your time and patience!
muraamar 21 Reputation points

2021-01-29T09:29:53.85+00:00

Hi James,

Thank you!

With "Windows 10 account Chrome extension" on win 10 machine Myapps page loaded without even prompting user name /UPN and the password.

However SSO experience fails with "Windows 10 account Chrome extension" on win 2016 HSD machine.

I am still waiting for a win7 test results and Happy to work with the support engineer.

Thank you again, and appreciate all your help here.

Answer 1

Hi, We have identified this issue is because of the proxy.

We have submitted the fiddler logs to the Microsoft support team, and they found 401 right after the Kerberos ticket being sent during the authentication flow. Based on the research, they have suggested bypassing the proxy for one of the failing devices.

Bypassing the proxy along with SSL bypass for the URL https://autologon.microsoftazuread-sso.com fixed the issue.

i.e. able to access the office365 recourses just bypassing the username/UPN and without any password prompt.

@JamesTran-MSF, Thankyou for all your help.

Share via

Azure PTA & Seamless SSO - Stagged Rollout - Keeps Prompting for user name and password

1 answer

Your answer