Drive mapper not passing through credentials (SSO) at launch

  • 1
  • Problem
  • Updated 6 days ago
Good day,

Before I give you the problem, please know this:
We have Pass through Authentication with Single Sign through Azure AD Connect in our environment.

For what it's worth - it works just as it should.  Users click on their email account and it passes through their creds without any need to type in a password.

It works when users connect to the sharefile site.  No issues there.
Just a handful of users (Win 8.1) have an issue with Drive mapper.

When drive mapper launches, it doesn't pass through anything.  It asks for the users email, goes to a screen where you see those dots dash from right to left, and then lands on an input password box.  Users are frustrated because, well, they have to input their password every time they start their computer up.

I ran fiddler while this happened, and it stops at autologon.microsoftazuread-sso.com

I can assure you, logging into portal.office.com, ourdomain.sharefile.com or any other service will also hit this site, but continue on by passing through their creds.  

If I compare the fiddler captures from the problem logon to any other logon that works, I cannot see any difference.  No errors, no nothing.

Any ideas?  At least somewhere to start looking.
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes

Posted 1 week ago

  • 1
Photo of Leo

Leo, Official Rep

  • 302 Posts
  • 22 Reply Likes
Hey Renato,

For the affected users, do you have any other tools set to authenticate this way as well?  Desktop App, Sync, Outlook Plug-in?  

-Leo
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
Users also have the Outlook Plug-in.  No issues with that.
Photo of Leo

Leo, Official Rep

  • 302 Posts
  • 22 Reply Likes
All right.  Are you OK with setting up one of the affected users with Desktop App and Sync to see if the behavior duplicates?  Logging in through the web site directly is slightly different than via tools, and I want to confirm it's just Drive Mapper doing this, and not Drive Mapper and ShareFile Desktop, Drive Mapper and Sync, or all three, because that'll be a better indicator of where the problem might be. 

To summarize, it sounds like the affected circumstances are :

- Windows 8.1 only
- SSO only with Azure AD Connect
- Drive Mapper
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
So the plot thickens.
Installed the apps as you asked.  SSO works just fine with Desktop App and sync.
Drive mapper is still misbehaving. :(

I think another interesting thing to point out (the user just did):
they recently changed their passwords for windows - and then began noticing Drive mappers unwanted behaviour.

I tried running "klist purge" via cmd to kill any old kerberos tokens that could have been floating around their computer, but alas, it did not do the trick.

Your summary is correct, but please note it is SSO with Pass Through Authentication with Azure AD Connect
(Edited)
Photo of Leo

Leo, Official Rep

  • 302 Posts
  • 22 Reply Likes
Yeah, that's definitely interesting.  One of our support engineers is looking into what's going on with the pass-through in Drive Mapper as well, so I hope to be able to get you more information about that at some point.

-Leo
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
Gotta love it when the Engineering teams get called in.  Looking forward to hear about what they say, as I can surmise that this problem will begin to swell once more 8.1 users change their password.
Photo of Leo

Leo, Official Rep

  • 302 Posts
  • 22 Reply Likes
Hey Renato,

So this might be a long shot, but in Internet Explorer for the affected users, what is the "Logon" setting under "User Authentication" set to?  

You should be able to find it under Internet Options -> Security -> Trusted Sites -> Custom Level.
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
Nothing is a long shot at this point.

It is configured as "Automatic logon only in Intranet zone"

I believe that is the case for everyone as well.  I know mine is set as the same
Photo of Leo

Leo, Official Rep

  • 302 Posts
  • 22 Reply Likes
Are *.sf-api.com and *.sharefile.com added as trusted sites in Internet Explorer?
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
i have sf-api.com and sharefile.com set as ourdomain.sf-api.com and ourdomain.sharefile.com via GPO.  
I'm going to make a change and use wildcards instead to see what happens and report back tomorrow.
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
It's a no go.  Did not work :(
Photo of Leo

Leo, Official Rep

  • 302 Posts
  • 22 Reply Likes
:(  

How about this:  In the configuration on the ShareFile side, what is "SP-Initiated Auth Context" set to?  If it is not set to Exact, can you make it Exact?  
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
It was set to Unspecified and Minimum
I changed it to Unspecified Exact

no change :(
Photo of Leo

Leo, Official Rep

  • 302 Posts
  • 22 Reply Likes
Unspecified seems off.  Does it work under Windows Integrated Authentication as well?

(Note: Your set up is different so it's possible it won't work under that, but this fixed it for the Support engineer's issue.)
(Edited)
Photo of Renato Dattilo

Renato Dattilo

  • 30 Posts
  • 6 Reply Likes
Tried it.
Did not play nice.

I'm starting to think this is some sort of token issue.
I just don't know if the Refresh tokens are being replaced properly or not.

I'm also starting to think I'm wrong about this as well.
(Edited)