Drive mapper not passing through credentials (SSO) at launch

  • 1
  • Problem
  • Updated 3 months ago
Good day,

Before I give you the problem, please know this:
We have Pass through Authentication with Single Sign through Azure AD Connect in our environment.

For what it's worth - it works just as it should.  Users click on their email account and it passes through their creds without any need to type in a password.

It works when users connect to the sharefile site.  No issues there.
Just a handful of users (Win 8.1) have an issue with Drive mapper.

When drive mapper launches, it doesn't pass through anything.  It asks for the users email, goes to a screen where you see those dots dash from right to left, and then lands on an input password box.  Users are frustrated because, well, they have to input their password every time they start their computer up.

I ran fiddler while this happened, and it stops at autologon.microsoftazuread-sso.com

I can assure you, logging into portal.office.com, ourdomain.sharefile.com or any other service will also hit this site, but continue on by passing through their creds.  

If I compare the fiddler captures from the problem logon to any other logon that works, I cannot see any difference.  No errors, no nothing.

Any ideas?  At least somewhere to start looking.
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes

Posted 4 months ago

  • 1
Photo of Leo

Leo, Official Rep

  • 367 Posts
  • 25 Reply Likes
Hey Renato,

For the affected users, do you have any other tools set to authenticate this way as well?  Desktop App, Sync, Outlook Plug-in?  

-Leo
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
Users also have the Outlook Plug-in.  No issues with that.
Photo of Leo

Leo, Official Rep

  • 367 Posts
  • 25 Reply Likes
All right.  Are you OK with setting up one of the affected users with Desktop App and Sync to see if the behavior duplicates?  Logging in through the web site directly is slightly different than via tools, and I want to confirm it's just Drive Mapper doing this, and not Drive Mapper and ShareFile Desktop, Drive Mapper and Sync, or all three, because that'll be a better indicator of where the problem might be. 

To summarize, it sounds like the affected circumstances are :

- Windows 8.1 only
- SSO only with Azure AD Connect
- Drive Mapper
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
So the plot thickens.
Installed the apps as you asked.  SSO works just fine with Desktop App and sync.
Drive mapper is still misbehaving. :(

I think another interesting thing to point out (the user just did):
they recently changed their passwords for windows - and then began noticing Drive mappers unwanted behaviour.

I tried running "klist purge" via cmd to kill any old kerberos tokens that could have been floating around their computer, but alas, it did not do the trick.

Your summary is correct, but please note it is SSO with Pass Through Authentication with Azure AD Connect
(Edited)
Photo of Leo

Leo, Official Rep

  • 367 Posts
  • 25 Reply Likes
Yeah, that's definitely interesting.  One of our support engineers is looking into what's going on with the pass-through in Drive Mapper as well, so I hope to be able to get you more information about that at some point.

-Leo
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
Gotta love it when the Engineering teams get called in.  Looking forward to hear about what they say, as I can surmise that this problem will begin to swell once more 8.1 users change their password.
Photo of Leo

Leo, Official Rep

  • 367 Posts
  • 25 Reply Likes
Hey Renato,

So this might be a long shot, but in Internet Explorer for the affected users, what is the "Logon" setting under "User Authentication" set to?  

You should be able to find it under Internet Options -> Security -> Trusted Sites -> Custom Level.
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
Nothing is a long shot at this point.

It is configured as "Automatic logon only in Intranet zone"

I believe that is the case for everyone as well.  I know mine is set as the same
Photo of Leo

Leo, Official Rep

  • 367 Posts
  • 25 Reply Likes
Are *.sf-api.com and *.sharefile.com added as trusted sites in Internet Explorer?
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
i have sf-api.com and sharefile.com set as ourdomain.sf-api.com and ourdomain.sharefile.com via GPO.  
I'm going to make a change and use wildcards instead to see what happens and report back tomorrow.
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
It's a no go.  Did not work :(
Photo of Leo

Leo, Official Rep

  • 367 Posts
  • 25 Reply Likes
:(  

How about this:  In the configuration on the ShareFile side, what is "SP-Initiated Auth Context" set to?  If it is not set to Exact, can you make it Exact?  
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
It was set to Unspecified and Minimum
I changed it to Unspecified Exact

no change :(
Photo of Leo

Leo, Official Rep

  • 367 Posts
  • 25 Reply Likes
Unspecified seems off.  Does it work under Windows Integrated Authentication as well?

(Note: Your set up is different so it's possible it won't work under that, but this fixed it for the Support engineer's issue.)
(Edited)
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
Tried it.
Did not play nice.

I'm starting to think this is some sort of token issue.
I just don't know if the Refresh tokens are being replaced properly or not.

I'm also starting to think I'm wrong about this as well.
(Edited)
Photo of Kelly Kolisnik

Kelly Kolisnik

  • 3 Posts
  • 0 Reply Likes
Hi,
We are trying to set up Drive Mapper with SSO as well (with ADFS). It brings up the page every time the user logs in but it doesn't automatically authenticate with Active Directory. We have it working fine with ShareFile Sync though. How do you get ShareFile Drive Mapper to automatically authenticate using Windows Credentials?
Photo of Rakesh Kumar

Rakesh Kumar, Employee

  • 19 Posts
  • 4 Reply Likes
@Kelly
If your ShareFile account is already configured to use ADFS then to setup DriveMapper with SSO please refer section 6.3 in https://citrix.sharefile.com/share/view/sc1aee5c38ff45ab9

For details on deploying the Group Policy settings refer section 5 in the above document. 
(Edited)