Solved: iOS Devices can connect via InTune, but not Android

We had a big issue at a client recently, which was quite a bear to solve.  They used ADFS with On-premise SSO (meaning that they didn’t use DirSync to push passwords into Azure AD/Office 365), so when clients come to authenticate over the web via the Company Portal App, they were referred to our on-prem ADFS for authentication.

This worked fine for our iOS and Windows Devices, no issues at all!  But then when we tried to use Android devices, they would be presented with the following error message:

The Symptom

"Cool, I'll call the IT admin, OH SHIT that's me!"
Could not sign in. You will need to sign in again. If you see this message again, please contact your IT Admin.

Don’t you love those messages that tell you to contact yourself?

From the InTune app, you can obtain logs by clicking on the ‘…’ hamburger menu.  Opening the log, we see the following errors.


Authentication failed. Current state: FailedToAcquireTokens
Failed to acquire Graph token from AAD.
SignInService.access$900(SignInService.java:44)
SignInService$AadFailureAction.exec(SignInService.java:464)
SignInService$AadFailureAction.exec(SignInService.java:444)
GraphAccess$GraphTokenFailureDelegate.exec(GraphAccess.java:190)
GraphAccess$GraphTokenFailureDelegate.exec(GraphAccess.java:174)
AdalContext$AdalAuthenticationRetryCallback.onError(AdalContext.java:228)
com.microsoft.aad.adal.AuthenticationContext.waitingRequestOnError(AuthenticationContext.java:899)
com.microsoft.aad.adal.AuthenticationContext.onActivityResult(AuthenticationContext.java:758)
com.microsoft.windowsintune.companyportal.authentication.aad.AdalContext.onActivityResult(AdalContext.java:150)
com.microsoft.windowsintune.companyportal.views.AadAuthenticationActivity.onActivityResult(AadAuthenticationActivity.java:57)

Code:-11 primary error: 3 certificate: Issued to: CN=adfs.company.com,OU=E-Commerce,O=Company,L=Somewhere,ST=Georgia,C=US;
Issued by: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
on URL: https://adfs.company.com/adfs/ls/?wfresh=[...]

The Reason

The error occurs when the Company Portal app checks our certificates on ADFS to see if we are trustworthy.

The issue is that Android handles cert chaining in a way somewhat differently from iOS and Windows Phone. In short, Android needs all of our certs to be present on our ADFS Servers, where iOS would intelligently lookup the Cert Signer for us.

The Fix

Import the certs up the chain into the intermediate store on the ADFS Proxies themselves.

So, launch the MMC and add the Certificates Snapin for the Local Computer on your ADFS Server.  Find the cert your ADFS Service is using (likely issued to adfs.yourcompany.com), and view it’s parent certificate.

Move a copy of the ‘parent’ cert, (in my case, Symantec) into the Computer\Intermediate Certification Authorities\Certificates store. This part is CRUCIAL!

Next, move copies of your ADFS, ADFS Decrypting, and ADFS Signing Certs into the Personal Store for the ADFS Service.

Finally, restart the ADFS servers, because restarting the service alone is not enough.

With all of this finished, I’m finally able to enroll Android devices into InTune.

Screenshot_2015-12-08-22-52-11

Advertisements

6 thoughts on “Solved: iOS Devices can connect via InTune, but not Android

  1. Anuj Rana December 14, 2015 / 12:25 pm

    Glad to see that issue is resolved 🙂

  2. Naattori May 20, 2016 / 7:12 am

    Hi, your instructions are unclear. First you advice to “Import the certs up the chain into the intermediate store on the ADFS Proxies themselves.”

    Then you talk about doing changes on “ADFS Server” on more detailed part of the instructions. Because ADFS Server != ADFS Proxy server – your instructions doesn’t make much sense.

    • FoxDeploy May 20, 2016 / 7:26 am

      The proxies need the full cert chain. See if this fixes your issue. If not there is another step

      • Naattori May 20, 2016 / 7:36 am

        Oh right, sorry didn’t quite understand that there was two steps because another sentence starts “So, launch the MMC…” which seemed like more additional detailed instructions.

        I’ll try importing the full chain for the proxies first and see if it helps. Thanks for clarification!

        • FoxDeploy May 20, 2016 / 7:37 am

          No problem. I have notes about an additional step which might be needed. Keep in mind when you put new certs in the proxy, need to restart the service. In our case, we rebooted them one by one.

  3. David Kim June 6, 2016 / 10:41 pm

    Thanks for sharing! You gave me enough clues get started and reach the resolution.
    Here are the steps I took:

    1. Log in to the first ADFS Proxy server (WAP server in my case)
    2. MMC > Add/Remove snapins
    3. Add Certificates > Computer > Local Computer
    4. Trusted Root Certificates/Certificate > All tasks > Import…
    5. Browse to where the certificate in p7b format (without the private key) is stored > Next > Finish
    6. This will import 2 certificates; in my case, one from Symantec Class 3 EV SSL CA and the other from VeriSign Class 3
    7. This time import the same p7b file to the Intermediate Certificate/Certificates store
    8. This will also import 2 certificates to the Intermediate certificates store
    9. Reboot the ADFS proxy/WAP server
    10. Repeat the same process on your other ADFS proxy/WAP server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s