Symptoms
After Azure AD Authentication Library (ADAL) is enabled, users receive multiple security prompts to enter credentials when they try to sign in to Skype for Business client.
Cause
This issue occurs because ADAL authentication is enabled on the Skype for Business server, but Integrated Windows Authentication is not used for authentication against the Security Token Service (STS) URL.
Resolution
To resolve this problem, do the following:
-
Add the STS URL to the intranet zone in Internet Explorer.
-
Make sure that the default Advanced security settings for Internet Explorer are configured to have the Enable Integrated Windows Authentication check box selected under Security.
-
Make sure that the User Authentication Logon setting in the intranet zone is configured to have the Automatic logon only in the Intranet Zone option selected.
More Information
ADAL can help you provide an increased level of security. It lets companies use multi-factor authentication against services. This additional layer of security requires users to authenticate when an authentication request is made. If Integrated Windows Authentication is enabled, the user's cached NTLM credentials are automatically provided for the user. When Integrated Windows Authentication is not enabled, users are required to enter those credentials when they are prompted.
Note When users are authenticating externally, Integrated Windows Authentication is not used because this process works only when the computer is connected to the internal corporate domain. In this situation, users would typically see a Skype for Business authentication prompt.
References
How to use Modern Authentication (ADAL) with Skype for Business
