Office 365 needs every login on RDS new Authentication, even with ad sync

Dear Andreas,

Greetings! Thank you for posting in Microsoft Community.

Per your description, you use SSO between RDS and Office 365, users always have to sign in twice.

For the situation you encountered, we do understand the inconvenience caused and apologize for it.

We noticed other community members also reported they encountered the same situation when they use Office 365 applications on RDS. To be honest, we reproduced the similar situation when testing on Remote Desktop.

Considering that different users from different tenants are having the similar issue, we're afraid this issue is caused from back end and need to be fixed from back end, the best way to troubleshoot the situation further is to report it to the related team. The more reports the team receives from different customers, the more likely they will be able to find something affects users in common, do investigation from back end and fix it.

Given this, we sincerely recommend you use Microsoft 365 administrator permission, follow steps in this article Get support - Microsoft 365 admin | Microsoft Learn, raise a support ticket and contact Microsoft related team. The support team has higher permission and more resource than us to check the issue from background, this would be the most efficient way in handing this case for you.

Thanks for your cooperation and understanding!

We hope you have a nice day, stay safe and healthy always.

Sincerely,

Tina | Microsoft Community Moderator

This is apparently a continuing issue with Microsoft's Modern Authentication & in my numerous searches for a resolution I'm seeing similar complaints even back in 2018.

My environment is very similar to yours: RDS, onsite AD sync to Azure AD, FSLogix, Office 365 Office 2019 local install and licensed for each user who has Microsoft 365 Business Premium.

I've been experiencing these authentication issues with Office 365 Office 2019 products (need to do so just once for all Office products to work), as well as separate authentications for Microsoft Teams and separately for Microsoft Edge.

Note that their MS web access is not affected, such as logging in to Office.com

Note that we much less seldomly have the Office365 reauthentication issue on laptops, but it does happen, for which we have to run dsregcmd /debug /leave & dsregcmd /forcerecovery and for laptops that fixes things nearly every time. I cannot believe this is a solution that Microsoft expects end users to run. It happens frequently enough that I finally made desktop icons on the laptops with these 2 commands in a batch script.

The frustrating part is that the "reauthenticate to O365 with each new logon to RDS" problem arises and remains for days, weeks, even months ; and then goes away without reason and things are fine for days, weeks, usually months ; and then comes back again even though nothing has changed in our environment, seemingly without any reason.

Recently, I've noticed that one of my users who is experiencing this "reauthenticate to O365 with each new logon to RDS" issue, upon a login to RDS and launching an Office product, gets the the ! (exclamation) by her avatar but I noticed that the avatar is an old picture of her, probably back from 2018, because we had new company photos taken after that. After she completes the Office (365) Modern Authentication sign-in, it then shows her more recent photo.
I've even deleted her FSLogix virtual drive and upon logon FSLogix created her a new profile VHDX (virtual drive file), but the exact same issue continues.
This leads me to the suspicion that this is a cloud-based issue. I suspect some of Microsoft's servers for AD (active directory) are not syncing with one another. This might explain why users can go for a few months without issues, and then a few weeks where they must sign in every day, and then the issue suddenly goes away again.

The typica errors we receive are:

* error “Trusted Platform Module has malfunctioned .. error code 80090030
* “Something went wrong. Your account was not set up on this device because device management could not be enabled. … error code: 8018001c … Server message: Unknown error code 0x8018001c” --- note that this 8018001c can be usually be ignored in an RDS environment. If after the 1st authentication prompt you uncheck "allow my organization to manage my device" then you often will not get the 8018001 error.

* error “Something went wrong. Your computer’s Trusted Platform Module has malfunctioned. … error code 80090016. … Server message: Keyset does not exist”
* error caa50021 "number of retry attempts exceeds expectation".

* error “sorry, another account from your organization is already signed in on this computer.”
* error “an encrypted connection to your mail server is not available”


I've wasted tens of hours on this issue, trying a myriad of anecdotal fixes offered by our wonderful MS community (not much help from Microsoft, unfortunately). Sometimes the fix suggestions do instantly resolve an issue for a few weeks or months, but other times not. And then the next time the problem happens again for the user, I will try the exact same fix that I noted worked last time, but it doesn't work this time. Then, a weekend passes by and on Monday the user may even report things are back to normal again.

I've tried all the following:
* with user logged in run command line: dsregcmd /debug /leave & dsregcmd /forcerecovery --- this one usually works
* login to RDS or laptop as another user and then authenticate O365 as the problematic user account --- often this works! But then logging back in to RDS as the problem user and then authentication to O365 as that problem user still is problematic.

* delete problematic user's FSLogix VHDX and let FSLogix create a new profile. --- this exact same O365 reauthentication issue continues. Note, however, if you have a user for whom the O365 gets stuck in a continual loop & won't let the application be used, then I've found this method worked once (apparently a bad or missing directory somewhere in user profile).
* Delete everything under these branches: "%localappdata%/Microsoft/OneAuth" and "%localappdata%/Microsoft/IdentityCache"
* powershell command: if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AAD.BrokerPlugin
* as an administrator launch regedit and go to : HKEY_USERS\{user SSID}\software\microsoft\office\16.0\Common\Identity , then right pane right-click > new > dword 32 > name: EnableADAL , value=1 and HKEY_USERS\(user SSID}\Software\Microsoft\Office\16.0\Common\Identity , “DisableADALatopWAMOverride”=dword:00000001 ---- some people say to toggle these back to 0, wait like an hour, try reauth which probably won't work, then change back to 1 and wait an hour and try reauth again, didnt' work for me.
* in cloud Microsoft 365 Admin Center, enable and then enforce Multi-factor Authentication (MFA) for user, wait a few minutes, try end-user's reauthentication to Office products again, if fails, then toggle to Disabled the MFA , wait a few minutes, then try reauth to MS Office products again.
* Ensure all necessary user directories exist in his profile, especially the %TEMP% directory. I wrote a script to delve the user registry and recreate missing driectories and also ensure he has full access to each. In this case it may be easiest to just copy his Desktop and My Documents, etc. files to a network drive then log him off and rename his old FSLogix VHDX and have him login again and let FSLogix create a new profile VHDX for him.
* clear the stored keys first then do desregcmd -- for me, this one fixed error caa50021 "number of retry attempts exceeds expectation"

cmdkey.exe /delete:MicrosoftAccount:target=SSO_POP_Device

cmdkey.exe /delete:WindowsLive:target=virtualapp/didlogical

cmdkey.exe /delete:LegacyGeneric:target=teamsIv/teams

cmdkey.exe /delete:LegacyGeneric:target=teamsKey/teams

del /S /Q "%localappdata%\Microsoft\OneAuth"

rmdir /S /Q "%localappdata%\Microsoft\OneAuth"

del /S /Q "%localappdata%\Microsoft\IdentityCache"

rmdir /S /Q "%localappdata%\Microsoft\IdentityCache"

del /S /Q "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"l

rmdir /S /Q "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"

del /S /Q "%localappdata%\Microsoft\Office\16.0\Licensing"

rmdir /S /Q "%localappdata%\Microsoft\Office\16.0\Licensing"

My users are so irritated. And I am sick of working after-hours to try to fix their accounts. I could almost hire a person full time to just go through these fix attempts for the staff.

Given the frequency of which this seemingly occurs it seems like it would be a fairly trivial thing for MS to setup such an environment and see if they can recreate and resolve the issues.

We are also having this problem which we first encountered when building up a WS2019/O365 RDS farm in our dev environment. We kept having these issues and then after many calls and emails back and forth with MS we managed to solve it ourselves through some GPO work and tweaking FSLogix inclusions/exclusions. We continued to test it thoroughly and everything was performing as expected. We went into Production and it also went smoothly, for months, then last week with no explanation it started to fall into a heap again.

Currently, if a user signs in and they are prompted for credentials by OneDrive, Teams and/or Outlook (instead of SSO'ing straight through) we have to get them to sign-in to each app individually and making sure to select "No, sign into this app only", it will then continue on. If, however, you opt to to allow it manage all apps it tries to register the device (session host) into Azure AD, it then fails.

Very odd and very frustrating to work out what is going on when we have all this other work to do!

Hello, I have exactly the same problem as you. An ad not connected with Microsoft and an auth request each time you log in under rds 2019 and O365. If you have any news, I'm interested.

We have also been plagued by this awful issue for months now. Microsoft has been no help at all. It seems to only effect certain users while others never experience it. I've seen so many reddit posts as well on this.

Any update on this?

Hello,

Not really, personally, I'm still in conversation with Microsoft support. They asked me to set the DWORD: BlockAADWorkplaceJoin value 1 in \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin. I no longer receive error messages 1001 and CAA50021.
The impact is still reduced, though.but I still get password requests for no apparent reason (about 2 to 5 times a day).

To be continued...

Hello,

After quite a few exchanges, Microsoft has asked me to implement what is written in the purple box, which is to remove the %localappdata% and registry lines from the VHDX so that they remain in place on the RDS servers. I don't see at all how to implement this.

I see that in my collection, I can exclude folders, but what about registry keys?

Maybe I also need a GPO that specifies where these should be placed.

The current support cannot assist me, and I need to turn to Windows support instead of Office support. However, I don't think I have an operational account to reach this support.