I’m in the process of migrating my Citrix Virtual Apps environment from Windows Server 2012 R2 to Windows Server 2019. After I moved a few users to the new Virtual Delivery Agents, I almost instantly noticed Microsoft 365 Apps (until now known as Office 365 ProPlus) sign-in did not work. My environment is configured with Single sign-on (SSO) and ADFS, so the users should never be prompted for a sign-in – but they where. And the biggest issue was that when they entered their e-mail address, the sign-in box turned into a blank white box.
Since my SSO is working just fine from the old Windows Server 2012 R2 VDA servers, and any GPOs are the same in both environments, I knew something was up with Server 2019. According to this blog post from Microsoft, there should be no compatibility issues. But in fact there are.
After some research, I found out that Microsoft is since build 16.0.7967 of Microsoft 365 Apps using WAM (Web Account Manager) as the sign-in method, instead of the old ADAL (Azure Active Directory Authentication Library) method. Despite it should work on Server 2019, it doesn’t. As for now, I’m not sure if it’s a general issue or something connected to my specific environment.
Anyhow, I found a few blog posts (for instance this post) on how to disable WAM using the registry. Just make a GPP adding the following registry key to all users:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableADALatopWAMOverride"=dword:00000001
That did the trick for me, i.e. no more sign-in box at all! If that doesn’t help, add the following registry key as well:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableAADWAM"=dword:00000001
Edit 2022-05-11: Since the latest version of Microsoft 365 Apps, even more keys must be added for the sign-in to work (refer to this Citrix article):
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity] "DisableMSAWAM"=dword:00000001
Remember – this is not a supported or preferred solution. It’s a dirty workaround, and the main issue should be solved as soon as possible.
Thanks it works nice… I have the same issue for Skype and MS Teams… and those regkeys are not fixing it for Skype or Teams… but it does fix it for office.
Any clue of how this can be fixed?? 🙂
Hello! Glad to hear the article was helpfull to you.
Unfortunately, I have no clue about Skype or Teams – I don’t use those applications in my server environment, only on the client side where I havn’t seen the issue.
Perhaps you can find something at the following Microsoft page: https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/connection-issue-when-sign-in-office-2016
Regards
Lucas
We have this EXACT same problem, and I will try those REG entries. Did you ever find an answer to the TEAMS question, as it is doing the same thing (SSO doesn’t seem to work)…
Thanks!
I did never investigate Teams any further as we are not running Teams in our terminal server environment – just some Office applications.
Perhaps you need to somehow disable ADAL for Teams specifically.
We had the same problem that SSO didn’t work within Teams.
Just recently we “fixed” it (but at the moment not fully tested) when we start Teams with Windows 8 compatibility mode activated.
(found here: https://docs.microsoft.com/en-us/answers/questions/605214/microsoft-teams-in-citrix-vdi.html)
Just a follow up to my previous post, we also had to include following folder to sync into our profile management solution (citrix):
“AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy”
For now it seems to work, hope Microsoft itself will fix this in the future.
Facing the same issue now with SSO on newest 365, 2019 RDS. Is this still the only solution as WAM doesn’t appear to work in traditional AD joined RDS?
Yes, we are still using this work around in our 2019 environment with the latest Office. I’m a bit surprised MS hasn’t fixed it yet…
Thanks for the article! This solution also helped us in a Windows server 2019 environment. I assume Microsoft hasn’t solved the problem yet? Does anyone have more information about this? On Microsoft’s site? I can’t find anything about it.
Microsoft has not fixed the issue. In fact, even more registry keys needs to be added for the latest Office to work. Read more about in at the Citrix article: https://support.citrix.com/article/CTX267071
MS still hasn’t fixed this, case with MS could not resolve either. 2019 RDS with UPD profiles. The 2 registry keys were working for me previous now even with the addition of the 3rd Citrix recommends it does not fix it. Seamless SSO works if I shut off 2FA for the RDS servers but i’d rather not do that. Frustrating!
Checking to see if anyone has ever found a solution to this issue? Running into a Random user issue across several MS Server Datacenter2019 TS, running Office 2019 Click to run SPLA License. User is prompted to log into Outlook on first open of the day. If Outlook is closed and reopened, it opens normally. If the application is left running for < 2 min and is closed the prompt returns and outlook must be closed and reopened. This is not every TS user logging in only a random sampling of them All have supplied 2FA authentication options but are not enforced.