Jump to content
Welcome to our new Citrix community!
  • 0

Outlook 365 prompting for MS password at launch


Chris Gundry

Question

Hi all

 

We have been using Server 2012 R2 for our VDAs for a long time, finally moving to Server 2019.

We use Office 365 apps, Office, Word etc. 

Users are OnPrem users, synced to O365/AAD, mailboxes are in 365 now so hybrid setup.

 

On 2019 we have a MS login prompt for Outlook each time the user launches the Citrix desktop. If they login and do 2FA then they are able to use Outlook just fine for the duration of that session. Next time they launch the desktop they get the same login prompt again.

On 2012 R2 we have no issues.

 

Things I have checked/tried.

1. As far as I can see the Microsoft.AAD.BrokerPlugin package is fine


2. https://support.citrix.com/article/CTX460176/outlook-require-credentials-each-time-though-upm-configured

reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity" /v DisableADALatopWAMOverride /t REG_DWORD /d 1 /f

reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity" /v DisableAADWAM /t REG_DWORD /d 1 /f

This DOES fix it, but as per the article (https://docs.microsoft.com/en-us/office365/troubleshoot/administration/disabling-adal-wam-not-recommended), is not recommended, so trying to understand the issue and resolve it, rather than masking it...

 

3. I don't see any files in %localappdata%\Microsoft\Office\16.0\Licensing on 2012 R2 or on 2019. I thought I should as we are using shared activation, but I wasn't the one who setup O365 office when we moved to it 2 years ago.

I tried adding it to sync dir in UPM as a test, nothing appeared in UPM or in the local VDA profile. Tried setting the overridecache and cachelocation settings as well, still no files. Given that the dir is not synced in the 2012 UPM profile, the files are not there in 2012 R2, but 2012 R2 VDAs are working fine, I don't think that is related.

 

4. Checked the 2012 R2 UPM profile vs 2019 and its essentially the same, just a few additions for 2019 start menu etc.

 

5. Clearing local credential store made no difference.

 

6.Workspace join disabled

We had already blocked AAD workspace join using HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: “BlockAADWorkplaceJoin”=dword:00000001

 

7. Tried HKEY_CURRENT_USER\Software\Microsoft\Exchange, AlwaysUseMSOAuthForAutoDiscover dword=1

No change

 

8. Applocker is NOT currently enabled, for testing.

 

9. https://support.citrix.com/article/CTX267071/password-field-not-displayed-when-publishing-any-office-365-application-such-as-excel-or-word-on-server-2019-or-windows-10

Not quite the same, but we are on 2203 CU1 so doesn't apply.

 

10. Reset office activation state: https://learn.microsoft.com/en-us/office/troubleshoot/activation/reset-office-365-proplus-activation-state

 

Anyone have any bright ideas please?

 

Many thanks

Link to comment

17 answers to this question

Recommended Posts

  • 0

1. Make sure you are using a profile manager that can support the token storage of office.  UPM containers, or FSLogix.

2. Enable Shellbridge, it fixes a lot of auth messages.

3. If you are using Hybrid Azure AD, make sure to get it setup for proper TGT or PRT generation for users single sign-on.  This article covers PRT, but if not using FAS just ignore the Cert part but follow the Workplace Join section.  https://www.jeffriechers.com/wiki/azuread-prt-with-fas-certificates/

 

Link to comment
  • 0
On 4/18/2023 at 12:13 PM, Jeff Riechers1709152667 said:

1. Make sure you are using a profile manager that can support the token storage of office.  UPM containers, or FSLogix.

2. Enable Shellbridge, it fixes a lot of auth messages.

3. If you are using Hybrid Azure AD, make sure to get it setup for proper TGT or PRT generation for users single sign-on.  This article covers PRT, but if not using FAS just ignore the Cert part but follow the Workplace Join section.  https://www.jeffriechers.com/wiki/azuread-prt-with-fas-certificates/

 

 

Hi Jeff

 

Thanks for the info, sorry its taken a while to reply, I have not been well.

 

To reply to your info:

1. Ahh, that might be the crucial bit for us. Our infra components are on 1912 still currently, so I think we don't have UPM containers. Office works fine in 2012 R2 though, so something changed in 2019 that means we need containers now? We are planning the Infra component upgrade from 1912 to 2203 next week (we already migrated from 2012 R2 to 2019 servers), so we can look at containers after that. We had planned to implement containers anyway.

2. My understanding was that was only really required for published apps, where we are a desktop only company, so didn't think we would need it. There also seems to be a lot of reports that it's broken in 2203 CU2...?

3. Our VDAs are not hybrid joined, so I think we  don't need to set all that up?

 

Many thanks

Link to comment
  • 0

@jeff any ideas? I am a bit stumped...

 

We recently completed the upgrade to 2203 and I tested UPM containers and this did solve the login issue, which was great. So in my mind this tells me that something is missing from the UPM profile...?

However, we don't actually want to use UPM containers because we discovered that in 2203 there is no VHDX compaction process.

 

We tested FSLogix containers instead and got those working, but the login issue seems to still be happening with FSLogix, which is odd as it stopped with UPM containers... We used both profile and Office containers, and ticked the office activation bit too. I have seen the known issue about sign ins, but that says it was in version 2210 (2.9.8361.52326) and we tested with FSLogix 2210 hotfix 1 (2.9.8440.42104)...

Link to comment
  • 0

OK, have an update...

 

FSLogix_Apps_2.9.8228.50276 is working, latest FSLogix_Apps_2.9.8440.42104 is not working.

They said the known issue was in 2210 (2.9.8361.52326) and don't mention the latest 2.9.8440 as being affected, just 2.9.8361 ? But can't be a co-incidence!

 

I have spotted this as well:
FSLogix 2210 hotfix 1 (2.9.8440.42104)Setting: Added new configuration setting (RoamIdentity).
Allows legacy roaming for credentials and tokens created by the Web Account Manager (WAM) system. https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles#roamidentityThe default setting is to not roam the credentials or tokens which is the preferred setting. While this may not be the ideal configuration for some customers, we created this setting to provide customers a way to roam these items similarly to FSLogix v2201 hotfix 2 (2.9.8228.50276).

 

So seems like in the latest version they have they have chagned the way that roaming credentials are handled, by not roaming the folders MS say should not be roamed, but that is breaking the process for us in the latest version. I will test that registry key on the latest version in a bit and see if it reverts the behavior to how it seems to be working in 2.9.8228.50276, which works for us.

 

FSLogix issue is resolved
In 2.9.8440.42104 they added a new 'Roam Identity' setting. This reverses the change they made in 2.9.8440.42104 (and maybe 2.9.8361.52326), which causes the login issue. Applying this setting has resolved the login issue with FSLogix 2.9.8440.42104, so latest version is now working for us.

 

Although this does not actually solve the issue with our UPM profiles (and I would still be open to a solution around that), we likely will migrate to FSLogix profiles, as that was a medium term goal for us anway.

I think the key is this KB from MS, which FSLogix referenced somewhere. 
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure
It says that you shouldn't roam a load of identity related folders. I think they are somehow not in our UPM, or are not roaming properly in our UPM and as a result, we get the login issue. But given that we want to go to FSLogix anyway, I don't want to waste anymore time on the UPM issue!

Link to comment
  • 0
On 5/4/2023 at 9:40 AM, Chris Gundry said:

OK, have an update...

 

FSLogix_Apps_2.9.8228.50276 is working, latest FSLogix_Apps_2.9.8440.42104 is not working.

They said the known issue was in 2210 (2.9.8361.52326) and don't mention the latest 2.9.8440 as being affected, just 2.9.8361 ? But can't be a co-incidence!

 

I have spotted this as well:
FSLogix 2210 hotfix 1 (2.9.8440.42104)Setting: Added new configuration setting (RoamIdentity).
Allows legacy roaming for credentials and tokens created by the Web Account Manager (WAM) system. https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles#roamidentityThe default setting is to not roam the credentials or tokens which is the preferred setting. While this may not be the ideal configuration for some customers, we created this setting to provide customers a way to roam these items similarly to FSLogix v2201 hotfix 2 (2.9.8228.50276).

 

So seems like in the latest version they have they have chagned the way that roaming credentials are handled, by not roaming the folders MS say should not be roamed, but that is breaking the process for us in the latest version. I will test that registry key on the latest version in a bit and see if it reverts the behavior to how it seems to be working in 2.9.8228.50276, which works for us.

 

FSLogix issue is resolved
In 2.9.8440.42104 they added a new 'Roam Identity' setting. This reverses the change they made in 2.9.8440.42104 (and maybe 2.9.8361.52326), which causes the login issue. Applying this setting has resolved the login issue with FSLogix 2.9.8440.42104, so latest version is now working for us.

 

Although this does not actually solve the issue with our UPM profiles (and I would still be open to a solution around that), we likely will migrate to FSLogix profiles, as that was a medium term goal for us anway.

I think the key is this KB from MS, which FSLogix referenced somewhere. 
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure
It says that you shouldn't roam a load of identity related folders. I think they are somehow not in our UPM, or are not roaming properly in our UPM and as a result, we get the login issue. But given that we want to go to FSLogix anyway, I don't want to waste anymore time on the UPM issue!


Chris,

 

Thank you so much for posting all of this! My Help Desk was getting bombarded by calls for users having to sign into their O365 apps every time they logged into Citrix. I made the registry change in the master image and pushed it out and sure enough, credentials were being saved. This post saved me hours and hours of grief. Again, Thank You!

 

Link to comment
  • 0
14 hours ago, Jeremiah Alger said:


Chris,

 

Thank you so much for posting all of this! My Help Desk was getting bombarded by calls for users having to sign into their O365 apps every time they logged into Citrix. I made the registry change in the master image and pushed it out and sure enough, credentials were being saved. This post saved me hours and hours of grief. Again, Thank You!

 

 

Awesome, no worries at all, glad it helped. It was certainly an annoying issue for me, took several days of poking about to find the cause! ?

Link to comment
  • 0
On 7/5/2023 at 1:45 PM, Jeff Riechers1709152667 said:

Which issue?  There are a few things here that can cause this.

 

1. Legacy login token not being stored.

2. Office 365 looking for Hybrid Azure AD join.

3. Accounts not setup for shared accounts.

 

What is the exact error you are seeing?

The issue explained on the first post.

Link to comment
  • 0
On 7/4/2023 at 11:01 AM, Richard Castillon said:

Hello all,

Same issue with UPM.
Does anybody found a solution ? I don't want to use FSLogix for the moment.

 

Regards,

 

We are moving onto FSLogix now, which is working for us, so far.

 

However I think it's something to do with the Appdata\Local\Packages folder in our case. If we exclude that from FSlogix then we get the issue (prompted for sign in to Office each logon) again. I did try and MIRROR that folder with UPM previously, but it dodn't work for us at the time. But maybe it points you toward something...

Link to comment
  • 0

HI I am also having the issue on 2019 VDAs.  Just installed latest fslogix update 2.9.8440.42104 into master image and now having to signin to Office365 every sign in while in UAT.

I also having trouble finding the DWORD "RoamEntity" to edit so I can test on an image before I update the master image.

Our VDAs are AD joined not azure joined.  Any guidance would be appreciated.

TIA

Also on Cu7, Latest windows and office updates 11 august 2023

 

Link to comment
  • 0

The Roam Identity is in the updated ADMX files that come with the updated software.

 

Also, Hotfix 2 was released, so you should install that instead of Hotfix 1, and it also has newer ADMX files that better organize data.

 

If you are going to be using Edge, Office 365, and/or Onedrive you should work on getting Azure AD Hybrid mode setup to handle authentication more seamlessly.

 

Check out my article here for my detail on setting up Azure AD Hybrid installation.  https://www.jeffriechers.com/wiki/azuread-prt-with-fas-certificates/

Link to comment
  • 0
On 8/25/2023 at 4:30 AM, Alison Myers1709163890 said:

HI I am also having the issue on 2019 VDAs.  Just installed latest fslogix update 2.9.8440.42104 into master image and now having to signin to Office365 every sign in while in UAT.

I also having trouble finding the DWORD "RoamEntity" to edit so I can test on an image before I update the master image.

Our VDAs are AD joined not azure joined.  Any guidance would be appreciated.

TIA

Also on Cu7, Latest windows and office updates 11 august 2023

 

If you read through the posts in this topic you will see there are changes/issues in 2.9.8440.42104 aka hotfix 1 that require you to take some actions. I have detailed those in previous posts in this topic. I have no idea if they have changed it further or 'fixed it' in hotfix 2 as we have not tried it yet.

Link to comment
  • 0
On 8/30/2023 at 9:44 AM, Chris Gundry said:

If you read through the posts in this topic you will see there are changes/issues in 2.9.8440.42104 aka hotfix 1 that require you to take some actions. I have detailed those in previous posts in this topic. I have no idea if they have changed it further or 'fixed it' in hotfix 2 as we have not tried it yet.

 

Hey Chris,

have you been able to solve the problem in the meantime?

I have the same problem. We use UPM for the Citrix profile and fslogix for the Office profile. If we start Outlook first after the Citrix login, we always get a login window for the Office login first. However, if we start Word first, everything is OK and then Outlook also starts without any problems. I'm slowly running out of ideas... 

 

Link to comment
  • 0
24 minutes ago, Kevin Kraumlmer said:

 

Hey Chris,

have you been able to solve the problem in the meantime?

I have the same problem. We use UPM for the Citrix profile and fslogix for the Office profile. If we start Outlook first after the Citrix login, we always get a login window for the Office login first. However, if we start Word first, everything is OK and then Outlook also starts without any problems. I'm slowly running out of ideas... 

 

 

That's different than what we saw. All the info I have is in this topic and we have resolved it by making the changed mentioned already.

Link to comment
  • 0
On 1/12/2024 at 1:25 PM, Kevin Kraumlmer said:

 

Hey Chris,

have you been able to solve the problem in the meantime?

I have the same problem. We use UPM for the Citrix profile and fslogix for the Office profile. If we start Outlook first after the Citrix login, we always get a login window for the Office login first. However, if we start Word first, everything is OK and then Outlook also starts without any problems. I'm slowly running out of ideas... 

 

Hello Kevin,

I have exactly the same problem as you! "if we start Word first, everything is OK and then Outlook also starts without any problems"

I use Citrix UPM to synchronize the user profile and FSLogix to attach the Office365 container (VDA version 2206 and FSLogix version: 2.9.8612.60056).

If I use a user profile for testing with only FSLogix (profile and container) I don't encounter the problem.

Have you managed to fix it?

Thank you

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...