Hi,

 

we are currently struggling with the following problem:

 

Every time a user starts Teams after logging in, he is prompted for a password. However, the username is saved. If the session remains open and Teams is restarted, no password is requested. If the user restarts the Citrix session (logging out and logging back in), he will be asked for the password again.

 

We are using Citrix Virtual Apps and Desktops 7 2203 CU2 and for some time now our employees have been prompted to enter the password again after each session start. This is not the case on "normal" Windows 10 clients.

 

We are using the follwing:

The teams version is: x64 1.6.00.1381

Installed with: ALLUSER=1 ALLUSERS=1

OS: Windows Server 2022 non persistent vdi deployed via MCS

Profile Management: Citrix Profile Management 

 

The problem can also be avoided if no UPM is used and the profiles remain on the terminal server.

It also works if the complete profile is written into the Citrix profile container.

However, we would like to continue using Citrix UPM without containers.

 

I have already implemented the settings from the Microsoft (https://learn.microsoft.com/en-us/MicrosoftTeams/teams-for-vdi#teams-cached-content-exclusion-list-for-non-persistent-setup) and Citrix article (https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#per-user-installer) , unfortunately without success:

 

Using Teams in a non-persistent setup also requires a profile-caching manager for efficient Teams runtime data synchronization.

Efficient data synchronization ensures that the appropriate user-specific information (such as a user's data, profile, or settings) is cached during the user's session.

Make sure data in these two folders are synced:

• C:\Users\username\AppData\Local\Microsoft\IdentityCache (%LocalAppData%\Microsoft\IdentityCache)

• C:\Users\username\AppData\Roaming\Microsoft\Teams (%AppData%\Microsoft\Teams)

 

The problem also occurs if not the complete profile but only the two directories from the Microsoft article are written to the container.

 

Unfortunately, the additional directories mentioned in this forum didn't help either:

https://communities.vmware.com/t5/Dynamic-Environment-Manager/DEM-Teams-MFA-login-every-time/td-p/2310199/page/4

 

I would be very grateful for a solution.

 

Best regards Benjamin

How are users logging in?  Are you using FAS?  If FAS you need to do some work to get certificate based auth for passing those creds.

 

If you are staying with UPM you may need to container those teams settings, or migrate to FSLogix.

Hi, thanks for your quick reply:

 

We are currently not using FAS.

 

The users start the desktop in the LAN via a preconfigured Workspace 2203 APP installed on Windows 10 PCs. SSON is used to log in to the Workspace app.

The on-premises domain is not connected to Azure AD. Own Azure AD accounts are used to log into MS Teams.

 

Know which teams directory in addition to the specifications from the MS article

 

• C:\Users\username\AppData\Local\Microsoft\IdentityCache (%LocalAppData%\Microsoft\IdentityCache)

• C:\Users\username\AppData\Roaming\Microsoft\Teams (%AppData%\Microsoft\Teams)

 

need to be included?

I would try roaming the entire profile, no exclusions, to see if it works.   However, I don't think it will.

 

In most environments I have had to setup Azure AD Connect to get all the necessary authentication and SSON to work with Edge, Teams, Onedrive, etc. And use FSLogix to properly store tokens for authentication.

 

 

40 minutes ago, Jeff Riechers1709152667 said:

I would try roaming the entire profile, no exclusions, to see if it works.   However, I don't think it will.

 

I already did that, sadly you are right, it didn´t work.

 

40 minutes ago, Jeff Riechers1709152667 said:

In most environments I have had to setup Azure AD Connect to get all the necessary authentication and SSON to work with Edge, Teams, Onedrive, etc. And use FSLogix to properly store tokens for authentication.

 

 

 

 

I'll test FSLogix, it's just a bit strange because the existing configuration worked about 2-3 months ago. Full Roaming with Citrix Profile Container is also working. It seems as if not all files are being syncronized via UPM. I would be happy about further tips.

MS has been working on changing token storage and logins lately.  If you go FSLogix make sure to go 2210.1, and enable the legacy WAM token storage.

 

https://learn.microsoft.com/en-us/fslogix/whats-new#fslogix-2210-hotfix-1-29844042104

 

 

 

 

I will test it, hopefully this week, and let you know if it worked. Thanks so far.

I believe you also need to roam: AppData\Local\Microsoft\OneAuth  if I recall correctly. I have it in my roaming settings and am pretty sure it came with Teams. Also recommended, if you use the Teams features in Outlook: 
AppData\Local\Microsoft\TeamsMeetingAddin
AppData\Local\Microsoft\TeamsPresenceAddin

Thank you for the tip, unfortunately it didn't work.

Even if I store the following directories it doesn't work:

AppData\Local\*

AppData\Roaming\*

I was able to narrow down the problem a little further.

 

There seem to be problems writing back the data from the roaming profile. It can of course also be possible that this is intentional. When you log off from the terminal server session, all data is written to the profile on the profile server, but not all of them are then restored when you log on to the terminal server again.

 

These are the following directories including their content:

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Microsoft

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker

 

The UDM configuration currently looks like this:

 

Directories to sync:

AppData\Roaming\Microsoft\Teams

AppData\Local\Microsoft\Credentials

AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

AppData\Local\Microsoft\IdentityCache

AppData\Local\Microsoft\TokenBroker

AppData\Local\Microsoft\OneAuth

AppData\Local\Microsoft\TeamsMeetingAddin

AppData\Local\Microsoft\TeamsPresenceAddin

 

Files to sync:

AppData\Roaming\Microsoft\Teams\desktop-config.json

AppData\Roaming\Microsoft\Teams\preauth.json

AppData\Roaming\Microsoft\Teams\Preferences

AppData\Roaming\Microsoft\Teams\settings.json

AppData\Roaming\Microsoft\Teams\storage.json

 

Exclusion List - Directories:

AppData\local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState

AppData\Roaming\Microsoft\Teams\meeting-addin\Cache

AppData\Roaming\Microsoft\Teams\media-stack

 

If the two

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Microsoft

As well as

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker

copied to the user's profile manually or by script before starting Teams, the login is carried out as usual without entering the password.

 

I'll keep testing this, but for now it's a solution we can live with.

Do you have a conditional access policy that forces interactive logon or MFA? 

 

Another thing to look at is - do you have UPM profile streaming enabled by GPO? are you "Always Caching"? 

On 4/13/2023 at 11:47 PM, Amir Sayes1709162090 said:

Do you have a conditional access policy that forces interactive logon or MFA? 

 

Another thing to look at is - do you have UPM profile streaming enabled by GPO? are you "Always Caching"? 

Thank you for your reply.

 

 

The problem occurs with and without MFA.

 

In fact we use profile streaming, I disabled the feature in my test environment. Unfortunately the error still occurs.

Currently we continue to use workaround with the script.

 

Nonetheless, thanks for the food for thought.

Hello Benjamin Bicker,

 

I had the exact same issue - exact same infrastructure. I could apply your workaround successfully untill I've found the solution.

 

To be able to synchronize everything set explicitly in the UPM setting, included the two folders in "Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC"

 

You need to turn to "Enabled" the following GPO setting :

 

-> Computer Configuration/Administrative Templates/Citrix Components/Profile Management/Advanced settings/Disable automatic configuration

 

If you leave it not configured or disabled, the Citrix UPM will not apply everything you ask him to.

 

Let me know if that helps you.

 

 

 

 

 

Hello Julien Carette,

sorry for the late reply.

 

I was able to successfully test your settings with us. The MS Team login now works as usual again.

Unfortunately, by deactivating the GPO you mentioned, the start menu no longer seems to work properly. Therefore, we will continue to rely on the solution with the script for the time being.

 

Thank you for your help in solving the problem.

Could you please share the script you're using to manually copy these two directories:

 

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Microsoft

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker

 

to a user's profile?

 

Thank you

Does anyone have any new information on this topic?
Unfortunately, we are experiencing the same problem. Teams wants to have the password after each Citrix login.

I already tried to copy the two folders (BrokerToken / Microsoft) manually or by script, but even if both folders exist the password is requested.

Are you federating your Microsoft Teams logins to a 3rd party, like duo?  If you have multi-factor setup or federation setup you need to exclude that from your Datacenter connection.

 

Have you gone through the process to setup Hybrid AzureAD?  If you are using FAS have you configured the PRT configuration?

No, we are not using something like duo and we are not using FAS right now.

We gone through the process to setup Hybrid AzureAD with a Microsoft employee.

 

What we just noticed is that our Server 2016 VDAs do not have this problem.

Only the Server 2022 VDAs.

With how ms changed the authentication token process between 2016 and 2022 you may be stuck with using containers.  It is part of the reason why MS bought FSlogix.  And why Citrix added the function in UPM.

 

Have you tried using a container for just the necessary directory to see if that stores the credentials?

I will give it a try today.
We are also considering switching completely to containers.
Is there a recommended variant?
- UPM + Citrix Container
- UPM + FSLogix Container
- Only Citrix / FSLogix Container without UPM

Thanks for the help up to here

I have been using FSLogix for full containerization.  I ran into a bug in 2305 UPM that is being addressed in the next version.  Once that comes out I will do a side by side bake off between both containerization solutions.

 

Check out this article I wrote on keeping the profile small with fslogix.

 

https://www.jeffriechers.com/wiki/keeping-fslogix-profiles-small/

I have now also installed and set up FSLogix.

But still after each Citrix login the teams password is requested.

We also have notebooks in use, the credentials are stored there. Therefore I don't understand why this doesn't work in Citrix. Not even with containers.

 

In addition, I now get a black screen for about 30 seconds before the desktop is displayed.

On 9/11/2023 at 9:26 AM, Maik Ludwig said:

I have now also installed and set up FSLogix.

But still after each Citrix login the teams password is requested.

We also have notebooks in use, the credentials are stored there. Therefore I don't understand why this doesn't work in Citrix. Not even with containers.

 

In addition, I now get a black screen for about 30 seconds before the desktop is displayed.

I dont know anything about your black screen but we had the teams issue with one user and where able to fix this.

Basically you have two options, assuming your users are using 2FA.

 

1: You can enable the RoamIdentity option which only requires the user to log in the first time https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles#roamidentity

 

2: You need to enable Azure AD Connect and Single Sign On (which you probably already have) and also configure Trusted Locations with an Azure AD P1 licence. The last one is crucial because SSO doesn't work with 2FA, so you need to disable it with a Conditional Access Policy for your company IP.

Hope this helps.

Regards.