Cannot sign in to Skype for Business after enable ADAL (aka Modern Authentication)

Symptoms

After Azure AD Authentication Library (ADAL) is enabled, users cannot sign in to Skype for Business, and they receive the following error message:

You didn’t get signed in. It might be your sign-in address or logon credentials, so try those again. If that doesn’t work, contact your support team.

error

Cause

This issue occurs because Integrated Windows Authentication is enabled for the ADAL Security Token Service (STS) URL. Therefore, users are signing in to Skype for Business by using different user credentials than those for the account that is logged on to the Operating System.

Resolution

To resolve this issue, change the Internet Explorer “User Authentication” settings on the affected client computers to “prompt for user name and password” in the security zone. To do this, use one of the following methods.



Method 1: Change the setting manually

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. Select the security zone that includes the STS URL. Typically, this is the Local Intranet zone.
  3. Click the Custom level button, and then scroll to the end of the Settings list.
  4. In the User Authentication section, select the Prompt for user name and password option.

Method 2: Use Group Policy

Push the following registry key to the affected client computers by using the following Group Policy Object:

  • Location: HKEY_LOCAL\MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • Value name: 1A00
  • Type: REG_DWORD
  • Value: 0x10000
The value 0x10000 represents the “Prompt for user name and password” setting.

More Information

When the ADAL STS URL resolves to an internal ADFS server, and Integrated Windows Authentication is enabled in browsers, computers on which many users sign in to client applications may not authenticate the logon attempts. To avoid this issue, the browser must be explicitly configured to prompt users for their credentials in a given browser Security Zone. For example, a kiosk is configured in this manner. The account that is logged on to the operating system may be different from the user account that is used to sign in to the Skype for Business client. In this situation, you may see the failures that are described in the "Symptoms" section. 

If you have kiosks on which the user who starts the Skype for Business client differs (that is, has a different account) from the user who is logged on to the computer, you may want to test the method of turning on the Prompt for user name and password option for these computers in Group Policy.
Eigenschaften

Artikelnummer: 3151223 – Letzte Überarbeitung: 05.04.2016 – Revision: 1

Feedback