Sharepoint - SharePoint 2016 - ADFS - persistent cookie - office client integration - authentication prompt

Try this solution:

  1. HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity
  2. Check if EnableADAL key is present
  3. If not present then create new REG_DWORD key with name EnableADAL and value 0

This worked for me


And, here's an update: KB3203432 - https://support.microsoft.com/en-us/help/3203432/descriptionofthesecurityupdateforsharepointserver2016june13-2017 did seem to fix this problem (the 401 vs 403 issue) without using the module above. However, it then created another problem for us in our on-premises SP 2016 system with Office 2016 (and claims auth via AD FS). A note in the KB says this:

Administrators who wish to suppress modern authentication with Office 2016 applications can now configure the SPSecurityTokenServiceConfig object when the SuppressModernAuthForOfficeClients property is set to $false.

But in fact, after the update, the default value of SuppressModernAuthForOfficeClients is set to $false, which causes Office clients to fail authentication with the cryptic "Your organization's policies..." message. To get back to normal, you have to do this:

$c = get-spsecuritytokenserviceconfig
$c.SuppressModernAuthForOfficeClients=$true
$c.update()

I was having the exact same problem. Using SharePoint 2016, Office 2016, and ADFS 4.0/2016, the only way I can get it to work is to disable ADAL. ADAL is not supported for on-premise Exchange, so I wonder if the same is true for SharePoint as well. SharePoint 2013 in the exact same environment works OK.

Poking around in Fiddler, I can see a few differences with ADAL enabled/disabled. With it enabled, the request headers are different, the server returns a 401 vs a 403, and there is also a bit about hitting an OAuth URL.

With ADAL enabled: OPTIONS hxxps://sharepoint.domain/Shared%20Documents/ HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 (16.0.4456) Windows NT 10.0 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: sharepoint.domain

HTTP/1.1 401 Unauthorized Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.5 X-SharePointHealthScore: 0 SPRequestGuid: 75fed49d-4537-0085-da92-b195d2c7ea26 request-id: 75fed49d-4537-0085-da92-b195d2c7ea26 X-Forms_Based_Auth_Required: hxxps://sharepoint.domain/_login/default.aspx?ReturnUrl=/_layouts/15/error.aspx X-Forms_Based_Auth_Return_Url: hxxps://sharepoint.domain/_layouts/15/error.aspx X-MSDAVEXT_Error: 917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically. x-ms-suspended-features: features="" X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: 16.0.0.4483 X-Content-Type-Options: nosniff X-MS-InvokeApp: 1; RequireReadOnly WWW-Authenticate: Bearer realm="{Removed GUID}",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000003-0000-0ff1-ce00-000000000000@{Removed GUID}",cookie_uri="https://sharepoint.domain/_api/SP.OAuth.NativeClient/Authenticate" Date: Tue, 14 Feb 2017 17:45:15 GMT Content-Length: 13

403 FORBIDDEN

With ADAL disabled: OPTIONS hxxs://sharepoint.domain/Shared%20Documents/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Word 2014 (16.0.4456) Windows NT 10.0 X-Office-Major-Version: 16 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: sharepoint.domain

HTTP/1.1 403 FORBIDDEN Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.5 X-SharePointHealthScore: 0 SPRequestGuid: da02d59d-d5b7-0085-da92-b5fe7b8c3434 request-id: da02d59d-d5b7-0085-da92-b5fe7b8c3434 X-Forms_Based_Auth_Required: hxxps://sharepoint.epi.ophth.wisc.edu/_login/default.aspx?ReturnUrl=/_layouts/15/error.aspx X-Forms_Based_Auth_Return_Url: hxxs://sharepoint.epi.ophth.wisc.edu/_layouts/15/error.aspx X-MSDAVEXT_Error: 917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically. X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: 16.0.0.4483 X-Content-Type-Options: nosniff X-MS-InvokeApp: 1; RequireReadOnly Date: Tue, 14 Feb 2017 19:02:05 GMT Content-Length: 13

403 FORBIDDEN

Tags:

Authentication

Forms Authentication

Adfs

Related

Sharepoint - Sharepoint Designer 'All files' missing Sharepoint - Will the new SharePoint FrameWork increase speed? Sharepoint - Configuring timer jobs in sharepoint online Sharepoint - A type named 'SP.Data.ClientsListItem' could not be resolved by the model. When a model is available, each type name must resolve to a valid type Sharepoint - Office Online Server - hide buttons Sharepoint - whats the difference between team sites and a publishing sites? Sharepoint - Active Directory Import in Sharepoint Foundation 2013 Sharepoint - How to authenticate to SharePoint Online (Office 365) using REST API Sharepoint - How to get List name by its GUID using Javascript Sharepoint - Is it possible to develop a Provider hosted app for SharePoint Foundation? Sharepoint - Export/Import microsoft flow in SharePoint Online Sharepoint - Can force the "Title(linked to item with edit menu)" column inside my list view to reference to another URL

Recent Posts