AD FS on-premises device registration blocks Windows Phone 8.1 users in Intune

Symptoms
When users try to sign in to the Company Portal app for Windows Phone 8.1, the attempt my fail. This problem occurs if the users' IT pro has enabled AD FS on-premises device registration. This sign-in failure is recorded as a user cancellation error in the Company Portal log.
Cause
The Windows Phone 8.1 Company Portal app uses an OS component that's named the Web Authentication Broker (WAB). This component handles delegated Web login attempts. When AD FS on-premises device registration is enabled, it modifies the AD FS global authentication policy to optionally support device authentication. This, in turn, causes authentication attempts to request client certificates. Because the WAB does not support client certificate authentication, the Web login redirects to the AD FS server, and the WAB cancels the login attempt with a “user canceled” error.
Resolution
To unblock Intune access for Windows Phone 8.1 users, the IT pro must assign a False value to the DeviceAuthenticationEnabled setting in the AD FS global authentication policy. If your enterprise requires this setting to be enabled, direct your users to the web-based Company Portal experience at http://portal.manage.microsoft.com.
Windows Phone 8.1 login sign in failure error ADFS on-premises device registration issue
Properties

Article ID: 3086134 - Last Review: 08/19/2015 16:53:00 - Revision: 1.0

Microsoft Intune

  • kbexpertiseadvanced kbsurveynew kbtshoot KB3086134
Feedback