The information below is intended for administrators who are responsible for troubleshooting Specops Authentication.
Multiple authentication requests
Users have to authenticate with multiple applications (for example, Outlook and OneDrive). This is because some Microsoft applications store credentials in different places. This is the expected scenario.
End-user is prompted to Try Again when authenticating to Outlook
When Outlook tries to use an expired refresh token, to get a new access token, an error occurs, and the session is lost. The user is prompted to Try Again. This is the expected scenario.
When a user authenticates through Modern Authentication (the Active Directory Authentication Library (ADAL) browser), Specops creates and sends a token to Microsoft. Microsoft verifies token trust, and sends a code that Outlook uses to create an access token, and a refresh token. The access token is short-lived. As soon as the access token expires, Outlook will attempt to retrieve a new access token using the refresh token. If an administrator revokes the refresh token, Outlook cannot retrieve a new access token, and the process for a new refresh token is triggered. The process begins by prompting user authentication via the ADAL browser.
Note: By default, the refresh token is valid up to 90 days (unless revoked).
Authentication starts all over again in Outlook
In some scenarios, when a user successfully completes their authentication, they won’t be logged in, instead they are prompted to authenticate again.
End-user is prompted (sometimes twice) to specify whether the account is a work or school account
This behavior is due to the account existing as both an Office 365/Azure AD account, and a personal Microsoft account. For example, if firstname.lastname@example.org was registered as a personal Microsoft Account by the user, and the company moves to O365 with the domain @specopssoft.com, the corporate UPN will be email@example.com. This will result in two distinct firstname.lastname@example.org accounts in Microsoft, where the user has to choose one. This issue can exist regardless of whether Specops Authentication is used.
The scenario where an English version of the account type selection dialog is followed by a localized version of the same dialog, may be related to Specops Authentication and Federation.
Google, Flickr, and Tumblr are disabled on ADAL Browsers
Google, Flickr, and Tumblr cannot be used with modern authentication (ADAL Browsers). They are removed as an enrollment/authentication option when accessed from the ADAL Browser.
If a user is not enrolled, and the above identity services are enabled, they will be prompted to use a different browser.
If a user must use any of the above identity services to complete their authentication, an information message will be displayed to the end-user.