Pages

Thursday, January 23, 2020

Microsoft Outlook fails to authenticate with Office 365 configured with DUO MFA

I was recently contacted to troubleshoot an issue where a user’s Outlook was unable to connect to Office 365 after a password change over the evening and while I found various forum posts describing the issue, the suggested solution required a slight change to work in the environment I was dealing with so this post serves to describe what I encountered and the solution.

Environment

  • Office 365 is configured for MFA with the product named DUO, which is now owned by Cisco
  • Users are automatically redirected to a Citrix NetScaler configured with DUO MFA authentication webpage https://aaa.domain.com when they attempt to log into Office 365 either via outlook.com/domain, outlook.office365.com or login.microsoftonline.com

Problem

A user is no longer able to connect to Office 365 with their Outlook client after the following actions:

  1. Her password was going to expire so she changed it at the end of the day
  2. She logged off after the password change and went home for the evening
  3. She arrived at the office this morning, logged into her laptop and noticed that her Outlook no longer connected

You’ve confirmed that their password was updated within Azure Active Directory (AAD) yesterday evening:

image

You’ve confirmed that the cached credentials were cleared:

clip_image001

You proceed to connect to their desktop/laptop and notice that her Outlook had the status displayed as:

Trying to connect…

clip_image002

Clicking on the Trying to connect… button would briefly bring up the what appears to be authentication prompt for Office 365:

image

The window is displayed for about 3 seconds and disappears.

Thinking that this may be an authentication issue, you try having the user authenticate via the Office Account sign in page but it does not resolve the issue:

image

You perform a bit of Googling on the internet and find the following two forum posts:

https://techcommunity.microsoft.com/t5/outlook/outlook-password-prompt-disappears-quickly/m-p/793317

https://superuser.com/questions/1349327/outlook-needs-password-but-dialog-box-disappears

The discussion indicates that the following two registry keys be added:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DWORD: DisableADALatopWAMOverride

Value: 1

DWORD: EnableADAL

Value: 0

You proceed to add these two DWORDs to the registry:

clip_image002[4]

Adding these two keys managed to display this classic authentication prompt when Outlook is restarted:

image

However, logging in with her new credentials did not correct the problem as the status would continue to be stuck at Trying to connect…:

Solution

What does end up working for this issue was when the following registry key was deleted:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DWORD: EnableADAL

Value: 0

… but with the following one configured:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DWORD: DisableADALatopWAMOverride

Value: 1

clip_image002[6]

With the above setup, the aaa.domain.com Citrix NetScaler page loaded correctly when Outlook is started:

image

Having the user enter their credentials got Outlook to finally connect to Office 365:

clip_image002[8]

What should also be noted is that if the following DWORD:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DWORD: EnableADAL

Value: 0

… is re-added back in after Outlook has connected then it will cause it to fail to connect again so this DWORD should be left unadded.

No comments: