New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 596388 link

Starred by 3 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Feature



Sign in to add a comment

Windows 10 Azure AD Joined SSO not working with Office 365

Reported by wdrie...@gmail.com, Mar 21 2016

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce the problem:
1. Join Windows 10 V1511 (build 10586.164) to Azure AD
2. Logon with o365 identity
3. Open EDGE or IE and open portal.office.com. You have SSO logon.
4. Try step 3 with Chrome.

What is the expected behavior?
Single-Sign-On with Office 365 without having to logon manually.

What went wrong?
Chrome does not understand EPA (Extended Protection for Authentication).

Did this work before? No 

Chrome version: 49.0.2623.87 m  Channel: stable
OS Version: Windows 10 
Flash Version: Shockwave Flash 21.0 r0

The same issue is described in this issue: https://bugs.chromium.org/p/chromium/issues/detail?id=270219
However  Issue 270219  is talking about ADFS. Windows 10 Azure SSO is new feature and i believe different from ADFS(I am not sure).

https://social.msdn.microsoft.com/Forums/en-US/7f2c9cb6-188d-478f-bfe3-247ab49ad32e/azure-join-sso-with-mozilla-and-chrome-office-365?forum=WindowsAzureAD
"We have something new in win 10, it's called web account manager. Third party browser does not understand this. Microsoft browsers understand this and use the credentials from there and make SSO works fine."

https://community.office365.com/en-us/f/613/t/422558
"You seem to be referring to the Azure AD join functionality. That is a bit different from what is generally referred to as SSO with O365, and all the steps you have tried/listed above don't apply to this scenario. Afaik, there is no way to make 3rd party browsers work with that functionality, at least not currently. Anyway, you should ask this question in the Azure AD forums here:  social.msdn.microsoft.com/.../home"

With kind regards,

Wietse Driever
 

Comment 1 by emaxx@chromium.org, Mar 29 2016

Cc: saswat@chromium.org emaxx@chromium.org dskaram@chromium.org
Components: Internals>Network>Auth
Owner: sleevi@google.com
Ryan, could you comment on whether the support of Azure AD join SSO would require separate implementation?
Cc: asanka@chromium.org
Owner: rsleevi@chromium.org
Judging by the fact that similar bugs were encountered with Firefox, I suspect the answer is "Yes" (Firefox has supported channel bindings for longer, thus if it WAS purely  issue 270219 , we would expect Firefox to work)
Labels: -Type-Bug -Pri-2 Pri-3 Type-Feature
Owner: saswat@chromium.org
Status: Untriaged (was: Unconfirmed)
Judging based on the limited technical details in https://github.com/Azure/azure-content/blob/master/articles/active-directory/active-directory-azureadjoin-passport.md tied to https://github.com/Azure/azure-content/blob/master/articles/active-directory/active-directory-azureadjoin-overview.md , it seems that Azure AD SSO is tied to a Passport implementation.

See also https://azure.microsoft.com/en-us/documentation/articles/active-directory-appssoaccess-whatis/ and https://blogs.technet.microsoft.com/askpfeplat/2015/01/05/azure-active-directory-for-the-old-school-ad-admin/ which suggest that it's primarily a SAML/WS-Federation/OAuth scenario when integrating with a fully hosted Azure AD.

But kicking back to enterprise for further triage and analysis.

Cc: blumberg@chromium.org
Owner: georgesak@chromium.org
requesting Georges & Matt to look deeper with the Chrome Win team.

tl;dr - We have managed to make EPA (Extended Protection for Authentication) work on Chrome OS and it was non-trivial. Asanka & Ryan are subject matter experts here. But Chrome on Win we are still struggling as the bug described. Would appreciate someone in Win team or Chrome Win Ent team taking a deeper look. Ryan has some good pointers in #3

Comment 5 by saswat@chromium.org, Nov 10 2016

Cc: -saswat@chromium.org
Status: Assigned (was: Untriaged)

Sign in to add a comment