Posted on 01-19-2017 10:35 AM
We are using Office 2016 with Office 365 and we use modern auth with multi-factor authentication (MFA). When you activate Office you see a mini browser pop open that walks the user through our MFA process.
All of a sudden our users are getting continually prompted for MFA and each time they go through the process is puts the ADAL credential in the login keychain, MicrosoftOffice15_2_Data.. is the 'kind', so a machine will have multiple copies of this item. The only way to get out of the loop is to clear these keychain items and go through MFA one more time.
We have a case open with Microsoft to determine if this is on them or our identity provider, just curious if anyone else is seeing something similar?
Solved! Go to Solution.
Posted on 01-24-2017 06:28 PM
Sorry for the delay. I packaged up the script and put it in our hidden scripts folder, then I setup a policy in self service to run from that location with the --All --Force switches. Scoped it to everyone that has Office 2016 installed, even it they find it in self service it doesn't hurt anything to run it even if you aren't broken.
The helpdesk uses it and it has worked 100% so far.
Thanks
Jeff
Posted on 01-19-2017 10:44 AM
It's a know issue with no fix yet. M$ will have to patch this at some point to fix it. The only fix is what you are doing now or a complete wipe and reinstall.
Posted on 01-19-2017 10:51 AM
@gatech-comm do you have any other details on the issue, when it started etc? We were stable up until about 10 days ago when we started seeing the issue. On Windows machines we started seeing it a couple of weeks ago...
Doesn't seem to affect everyone but a significant number..
Posted on 01-19-2017 11:10 AM
We are seeing this as well. What we've found is that if you do the keychain stuff from this link
Trouble shooting Office for Mac 2016
...the issue gets resolved.
Posted on 01-19-2017 11:18 AM
@mapurcel I noticed once the the 15.29.xxx updates were released. Prior on 15.28.x everything seemed fine. I'm not sure if it's a direct correlation, just when I noticed.
Posted on 01-19-2017 11:25 AM
@gatech-comm thanks, that helps
@tdclark yeah just deleting the ADAL entries works for us, did this problem surface for you recently? Were you able to correlate to a particular version of Office?
Posted on 01-19-2017 02:32 PM
@mapurcel 15.29 is when I started seeing it on my, and on my users, computer(s).
Posted on 01-19-2017 08:37 PM
We have been seeing the same thing and use Okta for authentication. The loop seems almost exclusive to Outlook 2016 as users aren't receiving prompts in the other Office 2016 apps. As others have suggested here and as Okta suggests, the issue only seems to get resolved when deleting MS ADAL keychain entries. Hopefully there is a more permanent solution soon.
Posted on 01-19-2017 09:03 PM
This issue may be the same one Microsoft has identified and will be fixing. From @pbowden in the #microsoft-office channel on Slack:
yes, the bug has existed for a long time, but the holidays have really exacerbated the problem. The issue typically occurs when a user attempts to auth using Outlook for Mac when their AD password has already expired.
Install the latest Insider Fast 15.31 version of Outlook on a test system and see if the problem persists. This version is suppose to address the issue and is slated for release next month.
In the meantime, Paul's script NukeOffKeychain on GitHub may help.
Posted on 01-20-2017 06:12 AM
My password had not expired, and we don't have expiring passwords here on campus (for the most part). I can confirm this morning that the problem still exists in 15.30 as I had to go through the keychain delete "stuff" process first thing.
Hopefully 15.31 fixes it.
Posted on 01-20-2017 10:02 AM
@talkingmoose that issue sounds a little different, in our environment its definitely not related to expired passwords. Also interesting to note that the same problem exists on Windows, which makes it a big issue in our company. We're testing a Windows Office update that may fix it...
Posted on 01-22-2017 05:16 PM
we were having the same issue, thankfully Paul Bowden from Microsoft posted this on his github.
https://github.com/pbowden-msft/NukeOffKeychain
Slack is a great place to have your microsoft office issues addressed.
We put this is Self Service and when a user calls we have them run it and there problem is resolved. This issue is supposed to be resolved in February but at least we have a workaround.
Jeff
Posted on 01-23-2017 10:21 AM
@jconte thanks! how did you deploy the NukeOffKeychain through Self Service?
Posted on 01-24-2017 06:28 PM
Sorry for the delay. I packaged up the script and put it in our hidden scripts folder, then I setup a policy in self service to run from that location with the --All --Force switches. Scoped it to everyone that has Office 2016 installed, even it they find it in self service it doesn't hurt anything to run it even if you aren't broken.
The helpdesk uses it and it has worked 100% so far.
Thanks
Jeff
Posted on 01-25-2017 09:55 AM
@jconte thanks, working great!
@talkingmoose thanks much for the link to the discussion on Slack, although in our environment I don't think its caused by expired AD passwords, it does appear that we are all dealing with basically the same bug.