I was recently contacted to troubleshoot an issue where a user’s Outlook was unable to connect to Office 365 after a password change over the evening and while I found various forum posts describing the issue, the suggested solution required a slight change to work in the environment I was dealing with so this post serves to describe what I encountered and the solution.
Environment
- Office 365 is configured for MFA with the product named DUO, which is now owned by Cisco
- Users are automatically redirected to a Citrix NetScaler configured with DUO MFA authentication webpage https://aaa.domain.com when they attempt to log into Office 365 either via outlook.com/domain, outlook.office365.com or login.microsoftonline.com
Problem
A user is no longer able to connect to Office 365 with their Outlook client after the following actions:
- Her password was going to expire so she changed it at the end of the day
- She logged off after the password change and went home for the evening
- She arrived at the office this morning, logged into her laptop and noticed that her Outlook no longer connected
You’ve confirmed that their password was updated within Azure Active Directory (AAD) yesterday evening:
You’ve confirmed that the cached credentials were cleared:
You proceed to connect to their desktop/laptop and notice that her Outlook had the status displayed as:
Trying to connect…
Clicking on the Trying to connect… button would briefly bring up the what appears to be authentication prompt for Office 365:
The window is displayed for about 3 seconds and disappears.
Thinking that this may be an authentication issue, you try having the user authenticate via the Office Account sign in page but it does not resolve the issue:
You perform a bit of Googling on the internet and find the following two forum posts:
https://techcommunity.microsoft.com/t5/outlook/outlook-password-prompt-disappears-quickly/m-p/793317
https://superuser.com/questions/1349327/outlook-needs-password-but-dialog-box-disappears
The discussion indicates that the following two registry keys be added:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DWORD: DisableADALatopWAMOverride
Value: 1
DWORD: EnableADAL
Value: 0
You proceed to add these two DWORDs to the registry:
Adding these two keys managed to display this classic authentication prompt when Outlook is restarted:
However, logging in with her new credentials did not correct the problem as the status would continue to be stuck at Trying to connect…:
Solution
What does end up working for this issue was when the following registry key was deleted:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DWORD: EnableADAL
Value: 0
… but with the following one configured:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DWORD: DisableADALatopWAMOverride
Value: 1
With the above setup, the aaa.domain.com Citrix NetScaler page loaded correctly when Outlook is started:
Having the user enter their credentials got Outlook to finally connect to Office 365:
What should also be noted is that if the following DWORD:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DWORD: EnableADAL
Value: 0
… is re-added back in after Outlook has connected then it will cause it to fail to connect again so this DWORD should be left unadded.
No comments:
Post a Comment