Jump to content
Welcome to our new Citrix community!
  • 0

Teams Prompting for Login Credentials after login


Question

Hi,

 

we are currently struggling with the following problem:

 

Every time a user starts Teams after logging in, he is prompted for a password. However, the username is saved. If the session remains open and Teams is restarted, no password is requested. If the user restarts the Citrix session (logging out and logging back in), he will be asked for the password again.

 

We are using Citrix Virtual Apps and Desktops 7 2203 CU2 and for some time now our employees have been prompted to enter the password again after each session start. This is not the case on "normal" Windows 10 clients.

 

We are using the follwing:

The teams version is: x64 1.6.00.1381

Installed with: ALLUSER=1 ALLUSERS=1

OS: Windows Server 2022 non persistent vdi deployed via MCS

Profile Management: Citrix Profile Management 

 

The problem can also be avoided if no UPM is used and the profiles remain on the terminal server.

It also works if the complete profile is written into the Citrix profile container.

However, we would like to continue using Citrix UPM without containers.

 

I have already implemented the settings from the Microsoft (https://learn.microsoft.com/en-us/MicrosoftTeams/teams-for-vdi#teams-cached-content-exclusion-list-for-non-persistent-setup) and Citrix article (https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#per-user-installer) , unfortunately without success:

 

Using Teams in a non-persistent setup also requires a profile-caching manager for efficient Teams runtime data synchronization.

Efficient data synchronization ensures that the appropriate user-specific information (such as a user's data, profile, or settings) is cached during the user's session.

Make sure data in these two folders are synced:

• C:\Users\username\AppData\Local\Microsoft\IdentityCache (%LocalAppData%\Microsoft\IdentityCache)

• C:\Users\username\AppData\Roaming\Microsoft\Teams (%AppData%\Microsoft\Teams)

 

The problem also occurs if not the complete profile but only the two directories from the Microsoft article are written to the container.

 

Unfortunately, the additional directories mentioned in this forum didn't help either:

https://communities.vmware.com/t5/Dynamic-Environment-Manager/DEM-Teams-MFA-login-every-time/td-p/2310199/page/4

 

I would be very grateful for a solution.

 

Best regards Benjamin

Link to comment

22 answers to this question

Recommended Posts

  • 0

Hi, thanks for your quick reply:

 

We are currently not using FAS.

 

The users start the desktop in the LAN via a preconfigured Workspace 2203 APP installed on Windows 10 PCs. SSON is used to log in to the Workspace app.

The on-premises domain is not connected to Azure AD. Own Azure AD accounts are used to log into MS Teams.

 

Know which teams directory in addition to the specifications from the MS article

 

• C:\Users\username\AppData\Local\Microsoft\IdentityCache (%LocalAppData%\Microsoft\IdentityCache)

• C:\Users\username\AppData\Roaming\Microsoft\Teams (%AppData%\Microsoft\Teams)

 

need to be included?

Link to comment
  • 0

I would try roaming the entire profile, no exclusions, to see if it works.   However, I don't think it will.

 

In most environments I have had to setup Azure AD Connect to get all the necessary authentication and SSON to work with Edge, Teams, Onedrive, etc. And use FSLogix to properly store tokens for authentication.

 

 

Link to comment
  • 0
40 minutes ago, Jeff Riechers1709152667 said:

I would try roaming the entire profile, no exclusions, to see if it works.   However, I don't think it will.

 

I already did that, sadly you are right, it didn´t work.

 

40 minutes ago, Jeff Riechers1709152667 said:

In most environments I have had to setup Azure AD Connect to get all the necessary authentication and SSON to work with Edge, Teams, Onedrive, etc. And use FSLogix to properly store tokens for authentication.

 

 

 

 

I'll test FSLogix, it's just a bit strange because the existing configuration worked about 2-3 months ago. Full Roaming with Citrix Profile Container is also working. It seems as if not all files are being syncronized via UPM. I would be happy about further tips.

Link to comment
  • 0

I believe you also need to roam: AppData\Local\Microsoft\OneAuth  if I recall correctly. I have it in my roaming settings and am pretty sure it came with Teams. Also recommended, if you use the Teams features in Outlook: 
AppData\Local\Microsoft\TeamsMeetingAddin
AppData\Local\Microsoft\TeamsPresenceAddin

Link to comment
  • 0

I was able to narrow down the problem a little further.

 

There seem to be problems writing back the data from the roaming profile. It can of course also be possible that this is intentional. When you log off from the terminal server session, all data is written to the profile on the profile server, but not all of them are then restored when you log on to the terminal server again.

 

These are the following directories including their content:

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Microsoft

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker

 

The UDM configuration currently looks like this:

 

Directories to sync:

AppData\Roaming\Microsoft\Teams

AppData\Local\Microsoft\Credentials

AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

AppData\Local\Microsoft\IdentityCache

AppData\Local\Microsoft\TokenBroker

AppData\Local\Microsoft\OneAuth

AppData\Local\Microsoft\TeamsMeetingAddin

AppData\Local\Microsoft\TeamsPresenceAddin

 

Files to sync:

AppData\Roaming\Microsoft\Teams\desktop-config.json

AppData\Roaming\Microsoft\Teams\preauth.json

AppData\Roaming\Microsoft\Teams\Preferences

AppData\Roaming\Microsoft\Teams\settings.json

AppData\Roaming\Microsoft\Teams\storage.json

 

Exclusion List - Directories:

AppData\local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState

AppData\Roaming\Microsoft\Teams\meeting-addin\Cache

AppData\Roaming\Microsoft\Teams\media-stack

 

If the two

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Microsoft

As well as

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker

copied to the user's profile manually or by script before starting Teams, the login is carried out as usual without entering the password.

 

I'll keep testing this, but for now it's a solution we can live with.

Link to comment
  • 0
On 4/13/2023 at 11:47 PM, Amir Sayes1709162090 said:

Do you have a conditional access policy that forces interactive logon or MFA? 

 

Another thing to look at is - do you have UPM profile streaming enabled by GPO? are you "Always Caching"? 

Thank you for your reply.

 

 

The problem occurs with and without MFA.

 

In fact we use profile streaming, I disabled the feature in my test environment. Unfortunately the error still occurs.

Currently we continue to use workaround with the script.

 

Nonetheless, thanks for the food for thought.

Link to comment
  • 0

Hello Benjamin Bicker,

 

I had the exact same issue - exact same infrastructure. I could apply your workaround successfully untill I've found the solution.

 

To be able to synchronize everything set explicitly in the UPM setting, included the two folders in "Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC"

 

You need to turn to "Enabled" the following GPO setting :

 

-> Computer Configuration/Administrative Templates/Citrix Components/Profile Management/Advanced settings/Disable automatic configuration

 

If you leave it not configured or disabled, the Citrix UPM will not apply everything you ask him to.

 

Let me know if that helps you.

 

 

 

 

Link to comment
  • 0

 

Hello Julien Carette,

sorry for the late reply.

 

I was able to successfully test your settings with us. The MS Team login now works as usual again.

Unfortunately, by deactivating the GPO you mentioned, the start menu no longer seems to work properly. Therefore, we will continue to rely on the solution with the script for the time being.

 

Thank you for your help in solving the problem.

Link to comment
  • 0

Could you please share the script you're using to manually copy these two directories:

 

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Microsoft

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker

 

to a user's profile?

 

Thank you

Link to comment
  • 0

Does anyone have any new information on this topic?
Unfortunately, we are experiencing the same problem. Teams wants to have the password after each Citrix login.

I already tried to copy the two folders (BrokerToken / Microsoft) manually or by script, but even if both folders exist the password is requested.

Link to comment
  • 0

I have now also installed and set up FSLogix.

But still after each Citrix login the teams password is requested.

We also have notebooks in use, the credentials are stored there. Therefore I don't understand why this doesn't work in Citrix. Not even with containers.

 

In addition, I now get a black screen for about 30 seconds before the desktop is displayed.

Link to comment
  • 0
On 9/11/2023 at 9:26 AM, Maik Ludwig said:

I have now also installed and set up FSLogix.

But still after each Citrix login the teams password is requested.

We also have notebooks in use, the credentials are stored there. Therefore I don't understand why this doesn't work in Citrix. Not even with containers.

 

In addition, I now get a black screen for about 30 seconds before the desktop is displayed.

I dont know anything about your black screen but we had the teams issue with one user and where able to fix this.

Basically you have two options, assuming your users are using 2FA.

 

1: You can enable the RoamIdentity option which only requires the user to log in the first time https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles#roamidentity

 

2: You need to enable Azure AD Connect and Single Sign On (which you probably already have) and also configure Trusted Locations with an Azure AD P1 licence. The last one is crucial because SSO doesn't work with 2FA, so you need to disable it with a Conditional Access Policy for your company IP.


Hope this helps.


Regards.

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...