Users unable to authenticate until the MS-Organization-Access cert is removed

Wayne Clement 6 Reputation points
2022-02-18T16:34:18.697+00:00

We've been experiencing an authentication problem that has recently become worse since we implemented MFA and SSPR. Some users are unable to authenticate to M365 until we either remove MS-Organization-Access cert or we go into Settings - Accounts - Access work or school and disconnect the Work or school account. With locally-installed Office the symptom is a blank white window where our company-branded login screen would be. For web-based Office apps the screen hangs when redirecting the user to our ADFS server. Somewhat related to this, we've always had problems with users attempting to authenticate and being prompted to select a certificate; any action but clicking Cancel requires us to delete the MS-Organization-Access cert.

I don't see any corresponding errors in our audit or sign-in logs for the user or device. The authentication issue only applies to Windows 10 workstations but the certificate prompt at login happens sporadically on all platforms.

Any advice/guidance would be greatly appreciated. Thanks for your time.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,575 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,259 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,700 questions
{count} vote

5 answers

Sort by: Most helpful
  1. Givary-MSFT 32,581 Reputation points Microsoft Employee
    2022-02-23T06:57:46.67+00:00

    @Wayne Clement

    Apologies for the delay in responding to this post. Just to wanted to check if the issue still persists ?

    Would like to know the configuration of ADFS environment is ADFS Device Registration/Certificate authentication in place ? Any events in the event viewer on the ADFS servers ?

    0 comments No comments

  2. Wayne Clement 6 Reputation points
    2022-02-23T15:37:59.723+00:00

    Since my last reply I worked with our service desk to correlate reports of this with ADFS events, in the following order. The hostnames and email addresses are removed:

    Event ID 342, Source AD FS:

    Token validation failed.

    Additional Data

    Token Type:
    http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
    %Error message:
    ****@****.com-The user name or password is incorrect

    Exception details:
    System.IdentityModel.Tokens.SecurityTokenValidationException: ****@****.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
    --- End of inner exception stack trace ---
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

    Event ID 1000, Source AD FS:

    An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.

    Additional Data

    Caller:

    OnBehalfOf user:

    ActAs user:

    Target Relying Party:
    http://*.*****.com/adfs/services/trust

    Device identity:

    User action:
    Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.

    Event ID 364, Source AD FS:

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:
    wsfed

    Relying Party:
    urn:federation:MicrosoftOnline

    Exception details:
    Microsoft.IdentityServer.AuthenticationFailedException: ****@****.com-The user name or password is incorrect ---> System.IdentityModel.Tokens.SecurityTokenValidationException: ****@****.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
    --- End of inner exception stack trace ---
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList1& identityClaimSet) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList1& identityClaimCollection)
    --- End of inner exception stack trace ---
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList1& identityClaimCollection)
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)
    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
    at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
    at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    System.IdentityModel.Tokens.SecurityTokenValidationException: ****@****.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
    --- End of inner exception stack trace ---
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList1& identityClaimSet) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList1& identityClaimCollection)

    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

    0 comments No comments

  3. Givary-MSFT 32,581 Reputation points Microsoft Employee
    2022-03-02T10:42:32.82+00:00

    @Wayne Clement

    Update: Reviewed the above event.

    I would like to understand who is asking for the certificate ( which source is its Azure AD or ADFS or Proxy server ) when actual issue happens ?

    At the time of issue capturing fiddler log would give us more clarity.

    Also, I have seen cases when proxy is in place, we can see this issue. Is it possible to bypass the proxy at the time of issue and verify the outcome ?

    0 comments No comments

  4. Wayne Clement 6 Reputation points
    2022-03-02T12:22:13.073+00:00

    I believe it's ADFS asking for the certificate. We get the error whether the user is connected to the corporate network, which bypasses the proxy, or if they're remote which does go through the proxy.

    0 comments No comments

  5. Mario HP 1 Reputation point
    2022-10-19T12:47:20.253+00:00

    @Givary-MSFT We're not in ADFS anymore we have moved on to Passthru authentication yet we're having our users remove the Work/School account to get the apps working after they change the password every 90 days. is there a fix for this issue on Hybrid environments? seems to me like this MS-Organization-Access cert is caching some old credentials that keep attempting to sign the users with the old creds rather than the new ones. could there possibly be a fix in the works for this? Win 10 ver 21H2 and Win 10 ver 20H2. (Yes, we have tried removing credential manager cached creds but unless we remove the MS-Org-access cert our users are always disconnected from Outlook, Teams and OneDrive.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.