Microsoft Teams login error - Modern authentication failed here status code caa20004

Article
1/17/2024

After enabling Microsoft Teams in a federated setup with ADFS ,we might get this error when on premise users try to login to Microsoft Teams for the first time.

https://exchangequery.files.wordpress.com/2018/06/whatsapp-image-2018-05-30-at-21-05-12.jpeg?w=600

Even on the client logs in the below location we can see the below message-

C:\Users\username\AppData\Roaming\Microsoft\Teams

Wed May 30 2018 06:51:54 GMT+0400 (Arabian Standard Time) <7092> — warning — SSO: ssoerr – (status) Unable to get errCode. Err:Error: ADAL error: 0xCAA10001SSO: ssoerr – (status) Unable to get errorDesc. Err:Error: ADAL error: 0xCAA10001

Wed May 30 2018 06:51:54 GMT+0400 (Arabian Standard Time) <7092> — event — Microsoft_ADAL_api_id: 13, Microsoft_ADAL_correlationId: 2c46e41d-ef75-49ed-b277-cfd61427b273, Microsoft_ADAL_response_rtime: 2, Microsoft_ADAL_api_error_code: caa10001,

There is also Get logs option that can be opened with the below option when this issue occurred from the Teams icon as shown below –

https://exchangequery.files.wordpress.com/2018/06/untitled.png?w=600

When the issue occurs we would be able to see the error message regarding unable to get ADAL access token in the get logs.

https://exchangequery.files.wordpress.com/2018/06/untitled2.png?w=600

In the below example since its a successful login it shows as success after getting the access token.

https://exchangequery.files.wordpress.com/2018/06/untitled3.png?w=600

There is an option to download MS-Teams Diagnostics logs as well by using the below key combination and here we go we get the Ms Teams Diagnostics logs

Ctrl + Shift + Alt + 1

https://exchangequery.files.wordpress.com/2018/06/12.png?w=600

while looking through this diagnostics logs it has lot of info like client version, computer name, memory , user ID and we can look only for an information that we are currently facing, since understanding this logs would be really difficult.

https://exchangequery.files.wordpress.com/2018/06/untitled4.png?w=600

Below is an example of getting successful access token.

https://exchangequery.files.wordpress.com/2018/06/untitled5.png?w=600

Any Azure AD dependent apps like Microsoft teams they will have an optimized path for the first time login process to login with WS-Trust kerberos authentication endpoints of ADFS.If the above first attempt is not successful then the client will try to perform an interactive login session which is presented as web browser dialog.

But the new office and ADAL clients will first try only WS-Trust 1.3 version of the endpoint for windows integrated authentication which is not enabled by default.

Solution:

Enable WS-Trust 1.3 for Desktop Client SSO on the onprem ADFS server which has a federated setup with Azure AD tenant by running the below command.

Enable-AdfsEndpoint -TargetAddressPath “/adfs/services/trust/13/windowstransport”

We also want to ensure that we have both Forms and Windows Authentication (WIA) enabled in our global authentication policies.

https://exchangequery.files.wordpress.com/2018/06/untitled5.jpg?w=600

Share via

Additional resources