Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. AD FS on-premises device registration blocks Windows Phone 8.1 users in Intune

AD FS on-premises device registration blocks Windows Phone 8.1 users in Intune

View products that this article applies to.

Symptoms

When users try to sign in to the Company Portal app for Windows Phone 8.1, the attempt my fail. This problem occurs if the users' IT pro has enabled AD FS on-premises device registration. This sign-in failure is recorded as a user cancellation error in the Company Portal log.

↑ Back to the top

Cause

The Windows Phone 8.1 Company Portal app uses an OS component that's named the Web Authentication Broker (WAB). This component handles delegated Web login attempts. When AD FS on-premises device registration is enabled, it modifies the AD FS global authentication policy to optionally support device authentication. This, in turn, causes authentication attempts to request client certificates. Because the WAB does not support client certificate authentication, the Web login redirects to the AD FS server, and the WAB cancels the login attempt with a “user canceled” error.

↑ Back to the top

Resolution

To unblock Intune access for Windows Phone 8.1 users, the IT pro must assign a False value to the DeviceAuthenticationEnabled setting in the AD FS global authentication policy. If your enterprise requires this setting to be enabled, direct your users to the web-based Company Portal experience at http://portal.manage.microsoft.com.

↑ Back to the top

Keywords: kbexpertiseadvanced, kbsurveynew, kbtshoot, kb

↑ Back to the top

Article Info
Article ID : 3086134
Revision : 1
Created on : 1/7/2017
Published on : 8/19/2015
Exists online : False
Views : 307