Connection issues in sign-in afterwards update to Office 2022 build sixteen.0.7967 on Windows 10

  • Commodity
  • 7 minutes to read
  • Applies to:
    Microsoft 365 Apps for enterprise, Office 2016

Overview

This article contains information about a new authentication framework for Microsoft Part 2016.

By default, Microsoft Microsoft 365 Apps for enterprise (2016 version) uses Azure Active Directory Authentication Library (ADAL) framework-based hallmark. Starting in build 16.0.7967, Role uses Spider web Account Manager (WAM) for sign-in workflows on Windows builds that are after than 15000 (Windows 10, version 1703, build 15063.138).

General guidance

If you experience hallmark issues in Office application on Windows 10, nosotros recommend to practice the following actions:

  • Update Part products to the latest build for your channel according to Update history for Microsoft 365 Apps for enterprise (listed by appointment).
  • Brand sure that you are running any of the following Windows builds:
    • Any build for Windows 10, version 1809 or a later version
    • 17134.677 or later builds for Windows 10, version 1803
    • 16299.461 or later on builds for Windows 10, version 1709
    • 15063.1112 or later on builds for Windows 10, version 1703

Symptoms

Yous may experience i of the post-obit symptoms after you lot update to Microsoft Office 2022 build 16.0.7967 or a later on version on Windows 10.

Symptom i

When the overall network is working on your devices, Role applications may experience connexion bug. Yous may come across a message that resembles the following:

You'll need the internet for this.
We couldn't connect to one of the services we needed to sign y'all in. Please check your connectedness and endeavor again.
0xCAA70007

Screenshot of the error message shows that you will need the internet for this.

To determine whether y'all're experiencing this kind of issue, follow these steps:

  1. Make sure that you're running Office build 16.0.9126.2259 or a later build. (The latest build on your channel is great. Encounter the full general guidance in the Overview department.)

  2. Open Upshot Viewer.

  3. Go to Applications and Services Logs > Microsoft > Windows > AAD.

  4. In the Operational logs, locate messages from XMLHTTPWebRequest that have the post-obit design:

                      0x?aa7????,  0x?aa8????, 0x?aa3????, 0x102, 0x80070102

  5. Make sure that the fourth dimension of these errors is related to the time when you lot actually had an Internet connection. This is not an intermittent network upshot because of the loss of a Wi-Fi connection or a wake-upwardly afterward hibernation and initialization of the network stack.

Then, to make up one's mind whether your upshot is due to network environment or local firewall/antivirus software, follow these steps:

  1. Open Border (non Internet Explorer) and get to https://login.microsoftonline.com. Navigation should land on https://www.office.com or your company'southward default landing folio. If this fails, the issue is in a network environment or local firewall/antivirus software.

  2. Open Edge (not Internet Explorer) in InPrivate way and get to https://login.microsoftonline.com. After you enter credentials, navigation should country on https://www.office.com or your company's default landing page. If this fails, the issue is in a network environment or local firewall/antivirus software.

To resolve this issue, brand sure that your local firewall, antivirus software, and Windows Defender don't block the following AAD WAM plug-in processes that engaged in token acquisition:

C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe

C:\Windows\System32\backgroundTaskHost.exe

Note The PackageFamilyName of the plugin is the following:

Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

Also, make sure that your network surround doesn't block the primary destination:

https://login.microsoftonline.com/

Note This main address covers many IP addresses (and many services). Some of these addresses may be blocked in the surround for no good reason, which causes intermittent problems in some devices while other devices work fine.

Symptom 2

When you try to open up or relieve a document in Microsoft SharePoint Online, OneDrive for Business, or SharePoint, or you try to synchronize email letters or your calendar in Microsoft Outlook, you're prompted for credentials. After yous enter credentials, you're prompted again. This outcome may occur for the following reasons:

  • The Trusted Platform Module (TPM) chip or firmware is malfunctioning. Windows uses the TPM chip to protect your credentials. The chip may become corrupted or reset in some weather condition. To determine whether you lot are experiencing this kind of effect, follow these steps:

    1. Open Event Viewer.
    2. Go to Applications and Services Logs > Microsoft > Windows > AAD.
    3. In the Operational logs, locate the errors that brandish the post-obit pattern: 0x?028????, 0x?029???? or 0x?009????

    To avoid this issue in time to come, nosotros recommend that you update the TPM firmware.

    For Windows 10, version 1709 or after versions: The operating system automatically detects situations that are related to TPM failures and provides a user recovery procedure that should occur automatically. If this process doesn't occur automatically, we recommend that you lot use this transmission recovery method.

    For Windows 10, version 1703: An automated process is provided for Hybrid Azure AD join. No automatic process is provided for other surround configurations. If the Hybrid Azure AD join process doesn't occur automatically, we recommend that yous utilize this manual recovery method.

  • A device is disabled by the user, the Enterprise ambassador, or a policy because of a security business organisation or past mistake. To determine whether you are experiencing this event, follow these steps:

    1. Open up Event viewer.
    2. Go to Applications and Services Logs > Microsoft > Windows > AAD.
    3. In the Operational logs, locate the following message:

    Description: AADSTS70002: Error validating credentials. AADSTS135011: Device used during the authentication is disabled.

    To resolve this issue, we recommend that the Enterprise ambassador enable the device in Active Directory or Azure Active Directory (Azure Ad). For information about how to manage devices in Azure Ad, see the Device management tasks section of the "How to manage devices using the Azure portal" topic on the Microsoft Docs website.

  • The Enterprise administrator or a policy deleted a device because of a security reason or by mistake. To verify that yous are experiencing this consequence, follow these steps:

    1. Open up Event viewer.
    2. Get to Applications and Services Logs > Microsoft > Windows > AAD.
    3. In the Operational logs, locate the following message:

    Description: AADSTS70002: Error validating credentials. AADSTS50155: Device is non authenticated.

    To resolve this outcome, nosotros recommend that you recover the device by using the manual recovery method. Note If nobody on the Enterprise deleted the device, please file a back up ticket and provide an example of a device that is not recovered.

Manual recovery

To do a manual recovery of the estimator, follow the appropriate steps, depending on how the device is joined to the cloud (Hybrid Azure AD join, Add together a work business relationship, or Azure Ad join).

  • Hybrid Azure Advertizement join

    Run the post-obit command: ​​>dsregcmd /status

    The upshot should contain the post-obit fields (in Device state):

                      AzureAdJoined : Yep DomainJoined : YES DomainName : <CustomerDomain>

    The current logon user should be a domain user. The afflicted identity should be the current logon user.

    Recovery (safe to do):

    Run the Dsregcmd /leave command in an administrative Command Prompt window, and and so restart the arrangement.

  • Add together a work business relationship

    Run the post-obit command: >dsregcmd /status

    The event should comprise the following field (in User country):

                      WorkplaceJoined : YES

    The device land can be fix to whatever option. The current logon user tin be whatever user. The affected identity should exist a work or schoolhouse account that you can see in Setting > Accounts > Access piece of work or schoolhouse.

    Recovery (safe to practise):

    Remove the work account in Setting > Accounts > Access work or school, and and so restore the work account.

  • Azure AD bring together

    Run the following command: >dsregcmd /status

    The result should contain the post-obit fields (in Device land):

                      AzureAdJoined : Yeah DomainJoined : NO

    The current logon user should be an Azure Agile Directory (AAD) user. The affected identity should exist the current logon user.

    Recovery:

    Note Back up your data start.

    Create a new local ambassador. Disconnect from the domain (Setting > Accounts > Access work or school > Disconnect). Then, log on every bit the new local administrator, and reconnect to Azure AD.

Symptom three

The Role sign-in workflow stops or shows no on-screen progress. The sign-in window shows a "Signing in" message or a blank authentication screen.

Screenshot of the page that shows the Signing in status.

This issue occurs considering WAM is disabling not-HTTPS traffic to prevent security threats, such every bit someone stealing user credentials. To verify that you lot are experiencing this effect, follow these steps:

  1. Open Event viewer.

  2. Go to Applications and Services Logs > Microsoft > Windows > AAD.

  3. In the Operational logs, locate the post-obit bulletin:

    Navigation to not-SSL destination. Non-secure communication is prohibited. Canceling navigation.

To resolve this upshot and secure user credentials, we recommend that you enable HTTPS on the Identity servers.

Symptom 4

You lot take a non-persistent Virtual Desktop Infrastructure (VDI) environment that has a federated Identity Provider (IdP) that is configured as Single-Sign On (SSO). You do non expect to be prompted to activate or sign in considering SSO is configured. Notwithstanding, you are prompted to sign in for each new session. Function ULS logs display the following mistake message:

{"Action": "BlockedRequest", "HRESULT": "0xc0f10005"

Note

Please open a back up case if you experience this event. Nosotros require more log entry reports to aid isolate the event.

More information

The following guidelines employ to this article:

  • On builds of Windows seven, Windows 8, Windows eight.1, or Windows ten that are earlier than 15000, ADAL authentication is the only option.
  • The Windows build should be after than 15000 (Windows 10, version 1703, build 15063.138, More often than not Bachelor). For more data, see Windows ten release data.
  • This article applies whether you utilize Microsoft Federation or non-Microsoft Federation solutions.

For more than information, see the post-obit Noesis Base of operations article:

4347010 Fault Code: 0x8004deb4 when signing in to OneDrive for Business