VMware Horizon Community
vistor5
Contributor
Contributor

Outlook 2019 asks for password first i log in to an instant clone

Hi,

Every time I log on to a different clone and I open Outlook, it asks me for my credentials, see prompt below.

pastedImage_0.png

I seems that it does not cache the credentials.

I am not sure if I am in the right direction, but I create a Flex file with

[IncludeFolderTrees]

<AppData>\Microsoft\Protect

<LocalAppData>\Microsoft\Vault

<AppData>\Microsoft\Vault

<AppData>\Microsoft\Credentials

<LocalAppData>\Microsoft\Credentials

[IncludeRegistryTrees]

HKCU\Software\Microsoft\Office\16.0\Common

HKCU\Software\Microsoft\Office\16.0\Registration

HKCU\Software\Microsoft\Office\16.0\User Settings

HKCU\Software\Microsoft\Office\Common

HKCU\Software\Microsoft\Shared Tools\Proofing Tools

HKCU\Software\Microsoft\VBA

[ExcludeRegistryTrees]

HKCU\Software\Microsoft\Office\16.0\Common\Identity

[IncludeFolderTrees]

<AppData>\Microsoft\Bibliography

<AppData>\Microsoft\Office

<AppData>\Microsoft\Proof

<AppData>\Microsoft\Spelling

<AppData>\Microsoft\UProof

<LocalAppData>\Microsoft\Office\16.0\Licensing

<LocalAppData>\Microsoft\Credentials

[ExcludeFolderTrees]

<AppData>\Microsoft\Templates\LiveContent

This does not make any difference.

I am looking for some advice how to tackle the issue. Some help would be appreciated.

Environment:

Outlook 2019

VMWare DEM 9.11

Horizon 7.11

Thanks

Victor

Reply
0 Kudos
8 Replies
Hocshop
VMware Employee
VMware Employee

Hi,

I have seen a very similar problem before that was caused by the type of license that was in use.

They had E1 and E3 type licenses in their environment and DEM would not save the correct credentials because of the assignments of the licenses to each user.

Also, if the user was logging on and opening Outlook before the Outlook/Office profiles had finished applying yet, they would not yet see the saved settings.

Good luck!

Reply
0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @Hocshop,

So what exactly does this mean?  We have E3 licenses...

Is there NO way to get around the password prompt from Outlook? 

Reply
0 Kudos
nburton935
Hot Shot
Hot Shot

Why not utilize SSO? Are you properly federated with O365? If so, is your ADFS Service URL (or Azure AD's) in Trusted Sites? 

https://docs.microsoft.com/en-us/previous-versions/technet-magazine/jj631606(v=msdn.10)?redirectedfr...

Reply
0 Kudos
Hocshop
VMware Employee
VMware Employee

Hi RachelW,

They had both types of licenses and they were trying to deploy users of both types across the same RDSH Farms.

Conflicts and the behavior of having to enter the password every time they connected were a consequence.

They then put each type of user over a different RDSH farm and applied the E1/E3 appropriately then things started to work correctly without the constant password prompt.

We also saw that behavior when the clients were opening Outlook immediately after connecting to their session i.e. DEM still had not loaded their full profile but this was not as common as the above mentioned cause.

Regards

Reply
0 Kudos
sjesse
Leadership
Leadership

Do you have internet explore passwoerds and personal certificates saving?

Reply
0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @sjesse ,

 

Both IE Passwords and Personal Certificates ARE Enabled in UEM. There is nothing listed in the FLEX Config file for either one. See attached.

Reply
0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @nburton935 ,

 

We don't currently use ADFS....
We're using the new seamless SSO with password hash sync.
Reply
0 Kudos
Lieven
Hot Shot
Hot Shot

Here are some of my own notes regarding Outlook SSO (and Onedrive SSO) which work perfectly for me:

OUTLOOK

References:

https://superuser.com/questions/1265985/automate-outlook-profile-creation 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

Steps:

  • Azure AD Connect
    • Pass-trough Authentication
      • Enable Single-Sign-On
  • GPO:
    • User configuration - Administrative Templates - Windows Components - Internet Explorer - Internet Control Panel - Security page - Internet zone - Allow updates to status bar via script ==> Enable
    • User configuration - Administrative Templates - Windows Components - Internet Explorer - Internet Control Panel - Security page - Site to zone assignment ==> Add “ https://autologon.microsoftazuread-sso.com” with a value of “1”
  • Regkey to Enable ZeroExchangeConfig ==> Configured via DEM
    • [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover] "ZeroConfigExchange"=dword:00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover] "ZeroConfigExchangeOnce"=dword:00000001
  • Regkey to Enable Modern Authentication ==> Configured via DEM
    • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive] "EnableADAL"=dword:1

ONEDRIVE

References:

https://docs.microsoft.com/en-us/onedrive/use-silent-account-configuration

Steps:

  • Regkey SilentAccountConfig ==> Via GPO
    • [HKLM\SOFTWARE\Policies\Microsoft\OneDrive] "SilentAccountConfig"=dword:00000001
  • Regkey EnableADAL ==> ViaDEM
    • [HKCU\Software\Microsoft\OneDrive] “EnableADAL”=dword:00000001

I hope it's helpful

Reply
0 Kudos