I have been working on another mobility project the last couple of months. this project started as a hybrid SCCM/Intune project using “old” SCC 2012 R2 platform, a couple of weeks ago we migrated the platform to the latest service pack in order to get all of the new hybrid mobile features in place. The project have support for Android, iOS and Windows phones 8.1 devices.
In the beginning the company portal was deployed to the Windows Phones using the Windows Phone trial certificate (not supported, but it works). That part worked as expected for many months, but using the trial certificate is not really a valid Enterprise solution for several reasons.
- The certificate will expire
- The company portal is not being updated in the same cadence as the Company portal installed from the Windows store.
For that reason we decided to uninstall the in-house company portal and switch to the Company portal from the Windows Store. After installing the Windows Store company portal none of the Windows Phone users were able to sign in to the portal using the AD FS solution. What we experienced was the company portal login screen trying to redirect the user to the AD FS login portal. during that process it fails and returns to the Company portal login.
A quick look at the Windows Phone 8.1 log files revealed sign in issues with Azure AD:
2015-06-26T08:19:51.5954162Z VERB Event None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 Starting user sign in process. SignInPromptBehavior: Default
2015-06-26T08:19:51.6115307Z VERB MethodEnter None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AzureADAuthenticationService – AuthenticateAsync() Enter
2015-06-26T08:19:51.6115307Z INFO Event None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 Acquiring Azure AD token for Graph API.
2015-06-26T08:19:51.7233283Z VERB MethodLeave None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 7-0-0 Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AzureADAuthenticationService – AuthenticateAsync() Leave
2015-06-26T08:19:51.7978590Z INFO Event None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 Token acquisition has been handed off.
2015-06-26T08:19:51.7988680Z INFO Event None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 END_METHOD
2015-06-26T08:19:52.1141169Z VERB MethodEnter None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 Microsoft.Management.Services.SelfServicePortal.Phone.App – OnSuspending() Enter
2015-06-26T08:19:52.1443355Z VERB MethodLeave None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 Microsoft.Management.Services.SelfServicePortal.Phone.App – OnSuspending() Leave
2015-06-26T08:20:23.6956849Z VERB MethodEnter None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 Microsoft.Management.Services.SelfServicePortal.Phone.App – OnActivated() Enter
2015-06-26T08:20:23.7339593Z INFO Event None 0 b4045eed-1d8b-492d-a130-1b4f3b90c088 3-0-0 Sign in is being resumed. Navigating to login page
After some troubleshooting (coffee involved), we were able to track down the issue in AD FS and fix it. What we saw in AD FS when connecting with WP 8.1 devices was Token acquisition has been cancelled by user and due to the fact that the WebAuthenticationBroker in WP 8.1 tries AcquireTokenSilentlyAsync that part errors when DeviceAuthenticationEnable is configured to True.
DeviceAuthenticationEnable configured to False and the Windows Phone 8.1 devices were able to sign in to the store Company Portal again.
