To determine whether you are experiencing this this issue, run the following test:
- Obtain your Security Token Service (STS) server's fully qualified domain name (FQDN). To do this, follow these steps:
- Go to https://login.microsoftonline.com on a non-Android device.
- Enter your work or school account.
- When you're redirected to your federated STS login page, note the URL address in the browser. It will resemble the following:https://sts.contoso.comThe FQDN is sts.contoso.com.
- Go to the following URL, replacing <STS_SERVER_FQDN_HERE> with your STS FQDN:
- See whether any of the following messages are displayed:
- Extra download
- Sent by server
- In trust store
Here's a screen shot showing a certificate with the “Sent by server” message, illustrating successful authentication on an Android device:
- When you export the SSL certificate from a computer to the computer’s personal store of the AD FS and WAP server (or servers), make sure that you export the Private key and that you select Personal Information Exchange - PKCS #12. Also make sure that the Include all certificates in the certificate path if possible and Export all extended properties check boxes are selected.
- Run certlm.msc on the Windows servers, and then import the *.PFX file into the computer’s personal certificate store. When you do this, the server will pass the entire certificate chain when a client application uses ADAL for authentication.
Note The certificate store of Network Load Balancers should also be updated to include the entire certificate chain.
Article ID: 3203929 - Last Review: 21 Dec 2016 - Revision: 1