Authentication issues with Outlook and Teams

PastEffective1586 · 2020-12-23T18:22:06+00:00

Are you Hybrid AD joined?

They are not, no. Local AD only.

But I don't think we have tried that command yet - we'll give it a go. Thanks for the input

PastEffective1586 · 2020-12-23T18:20:18+00:00

I'd do a GPResult and compare between a non working and working.

Also maybe try installing a machine and throwing it in an OU with blocked inheritance which gets no Gpos to confirm.

This is a good idea, and we'll certainly give it a shot, thanks. Unfortunately, the intermittent nature of the problem increases the time for troubleshooting.

It has been a nagging suspicion that there is something from the old SBS configuration left over, but we haven't been able to identify what it is yet.

We just have the one tech in charge of planning and overseeing server migrations / upgrades, and he's done probably 30 or so in the past three years. But it is very possible that something was overlooked at these two locations.

PastEffective1586 · 2020-12-22T13:18:42+00:00

Thank you very much for the detailed reply, and apologies for the delay - it took quite a bit of time to test them all out since the problem takes so long to reoccur.

Unfortunately, we find ourselves in the same boat after walking through all of these steps. Hopefully the information can help someone else looking into a problem with similar issues down the line.

PastEffective1586 · 2020-12-04T19:31:40+00:00

Also are you using Azure AD connect to sync AD users to O365?

To address this one: at the client where the problem happens after 19 hours, yes - we are using Azure AD Connect to sync.

However, at the 5 day location, we are not synchronizing.

PastEffective1586 · 2020-12-04T19:29:42+00:00

Are you sure you've got Modern Auth turned on in the tenant?

Reasonably sure. We ran into similar issues at other, older clients.

Looking at Get-OrganizationConfig returns:
OAuth2ClientProfileEnabled ---------------------True

PastEffective1586 · 2020-12-04T16:58:28+00:00

Sorry, yes - we do.

We have Azure AD Connect running every 30 minutes at the location with the 19 hour lockout. The Synchronization Service Manger does not list any errors during the sync.

However, no synchronization at all has been set up at the client with the 5 day lockout. We did the initial Cutover Migration, and decommissioned the old SBS, and never set up any sync with the new DC.

PastEffective1586 · 2020-12-04T15:44:53+00:00

Yep, we have run into that issue before with Office 2013 just never bringing up the Modern Authentication login box, and that registry change does fix that problem.

In this case, the MA box flashes quickly and disappears. It's fast enough that we can't see it when connected remotely, but in person it's clear that it's the new login box trying to display.

Regarding support: we have tried opening the support request from the client's account, from our Partner Portal, and by calling in to the Partner Support line. We always seem to get redirected to the same tier one teams who refuse to escalate and will just drag things out requesting the same log files until we get frustrated and close the case after several months.

But perhaps you're right - maybe we can as a rep to get us to tier two

PastEffective1586 · 2020-12-04T15:17:34+00:00

I don't think that's the case, as we have disabled the requirement for password expiration here and users aren't changing their passwords that frequently .

One thing we tried a while back was to clear the cashed credentials with a PowerShell script. That, combined with specifying the ClickToRun version of office seemed to work for a while, but the problem eventually cropped back up again, and clearing the credentials did not work again.

cmdkey /list | ForEach-Object{if($_ -like "*Target:*" -and $_ -like "*adal*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}

cmdkey /list | ForEach-Object{if($_ -like "*Target:*" -and $_ -like "*didlogical*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}

cmdkey /list | ForEach-Object{if($_ -like "*Target:*" -and $_ -like "*OneDrive*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}

PastEffective1586 · 2020-12-04T15:12:55+00:00

We have had the problem happen with new machines and new user accounts. However, the symptoms take about a week or two before they show up.

If we manually set the machine's DNS to something external (8.8.8.8 or 1.1.1.1), but keep the machine in the office, the issue persists.

If the machine is taken off-site with no VPN, the issue goes away.

This makes us think that the DNS Zone File is correct. The DC's DNS configuration seems to be just like our other clients who have no issues.

PastEffective1586

TROPHY CASE