After enabling Microsoft Teams in a federated setup with ADFS ,we might get this error when on premise users try to login to Microsoft Teams for the first time.
Even on the client logs in the below location we can see the below message-
Wed May 30 2018 06:51:54 GMT+0400 (Arabian Standard Time) <7092> — warning — SSO: ssoerr – (status) Unable to get errCode. Err:Error: ADAL error: 0xCAA10001SSO: ssoerr – (status) Unable to get errorDesc. Err:Error: ADAL error: 0xCAA10001
Wed May 30 2018 06:51:54 GMT+0400 (Arabian Standard Time) <7092> — event — Microsoft_ADAL_api_id: 13, Microsoft_ADAL_correlationId: 2c46e41d-ef75-49ed-b277-cfd61427b273, Microsoft_ADAL_response_rtime: 2, Microsoft_ADAL_api_error_code: caa10001,
There is also Get logs option that can be opened with the below option when this issue occurred from the Teams icon as shown below –
When the issue occurs we would be able to see the error message regarding unable to get ADAL access token in the get logs.
In the below example since its a successful login it shows as success after getting the access token.
There is an option to download MS-Teams Diagnostics logs as well by using the below key combination and here we go we get the Ms Teams Diagnostics logs
Ctrl + Shift + Alt + 1
while looking through this diagnostics logs it has lot of info like client version, computer name, memory , user ID and we can look only for an information that we are currently facing, since understanding this logs would be really difficult.
Below is an example of getting successful access token.
Any Azure AD dependent apps like Microsoft teams they will have an optimized path for the first time login process to login with WS-Trust kerberos authentication endpoints of ADFS.If the above first attempt is not successful then the client will try to perform an interactive login session which is presented as web browser dialog.
But the new office and ADAL clients will first try only WS-Trust 1.3 version of the endpoint for windows integrated authentication which is not enabled by default.
Enable WS-Trust 1.3 for Desktop Client SSO on the onprem ADFS server which has a federated setup with Azure AD tenant by running the below command.
Enable-AdfsEndpoint -TargetAddressPath “/adfs/services/trust/13/windowstransport”
We also want to ensure that we have both Forms and Windows Authentication (WIA) enabled in our global authentication policies.