Troubleshooting

The information below is intended for administrators who are responsible for troubleshooting Specops Authentication.

Known issues

Multiple authentication requests

Users have to authenticate with multiple applications (for example, Outlook and OneDrive). This is because some Microsoft applications store credentials in different places. This is the expected scenario.

End-user is prompted to Try Again when authenticating to Outlook

When Outlook tries to use an expired refresh token, to get a new access token, an error occurs, and the session is lost. The user is prompted to Try Again. This is the expected scenario.

Background

When a user authenticates through Modern Authentication (the Active Directory Authentication Library (ADAL) browser), Specops creates and sends a token to Microsoft. Microsoft verifies token trust, and sends a code that Outlook uses to create an access token, and a refresh token. The access token is short-lived. As soon as the access token expires, Outlook will attempt to retrieve a new access token using the refresh token. If an administrator revokes the refresh token, Outlook cannot retrieve a new access token, and the process for a new refresh token is triggered. The process begins by prompting user authentication via the ADAL browser.

Note: By default, the refresh token is valid up to 90 days (unless revoked).

Authentication starts all over again in Outlook

In some scenarios, when a user successfully completes their authentication, they won’t be logged in, instead they are prompted to authenticate again.

End-user is prompted (sometimes twice) to specify whether the account is a work or school account

This behavior is due to the account existing as both an Office 365/Azure AD account, and a personal Microsoft account. For example, if jane.doe@specopssoft.com was registered as a personal Microsoft Account by the user, and the company moves to O365 with the domain @specopssoft.com, the corporate UPN will be jane.doe@specopssoft.com. This will result in two distinct jane.doe@specopssoft.com accounts in Microsoft, where the user has to choose one. This issue can exist regardless of whether Specops Authentication is used.

The scenario where an English version of the account type selection dialog is followed by a localized version of the same dialog, may be related to Specops Authentication and Federation.

Google, Flickr, and Tumblr are disabled on ADAL Browsers

Google, Flickr, and Tumblr cannot be used with modern authentication (ADAL Browsers). They are removed as an enrollment/authentication option when accessed from the ADAL Browser.

If a user is not enrolled, and the above identity services are enabled, they will be prompted to use a different browser.

If a user must use any of the above identity services to complete their authentication, an information message will be displayed to the end-user.