Intro
Took me a while to write my next blog. Private life and job change caused some disturbance in my persistance to write down my own thoughts. Now I'm back and will write about my newest findings and later on my new community project #blockchain #DAO.
Current findings something for the wayback machine
Writing about my findings help me sort them out and makes an entry in the unlimited internet sources for somebody else maybe facing the same issue.
In my current profession we needed to switch from windows activation via KMS to windows subscription based activation. After ordering to new subscription modell from time to time some users weren't able to upgrade to their windows enterprise and this caused them to loose connection towards our internal services connected through the enterprise #DirectAccess feature. Since we were using an ADFS environment we had a deadlock situation. Upgrade didn't work, so no tunnel could be established, no connection towards internal services, no token issuance and no upgrage possibility because of our ADFS dependency.
The analysis with #Microsoft support showed that we didn't received an Azure AD PRT Token. This token was necessary to claim our subscription upgrade. Mor information around analysis can be found via the dsregcmd /status command. This helps you check for the tokens and see if your configuration is working.
To make things short..
Our GPO internet settings forced *.microsoftonline.com to be in different Internet zones. In return those authentication pages weren't able to share cookies between the authentication and applications sites.
The article that pushed towards this problem was an old developer post on learn.microsoft.com. https://learn.microsoft.com/en-us/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios
Final words
As stupid as it always sounds checking your security settings may solve some problems. But you'll need a cross domain understanding and a rubber duck (just somebody to listen to your thoughts will also do the job :-) ) to solve such complex authentication issues.
Comments