Password field not displayed for Office 365 apps in Citrix VDA Server running 2019

Table of Contents

Symptoms #

  • When publishing any O365 app such as Excel or Word, users are prompted to authenticate to Office 365 to activate the app.
  • Password field is not rendered when the app is published so users can never authenticate.
  • This also occurs with RDP initial app.
  • Microsoft has reproduced the issue with using RDS on a 2019 server.

Solution #

Workarounds

  • Install Windows Server 2016 VDAs, as it does not have Web Authentication Manager, the component that is misbehaving.
  • Disable Web Authentication Manager via registry.
    • NOTE: This may not be supported by Microsoft because it causes other issues.

      HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
      “DisableADALatopWAMOverride”= dword:00000001

In case the above workaround does not work, refer to the following Citrix support article which discusses this case more thoroughly: https://discussions.citrix.com/topic/403721-office-365-pro-plus-shared-activation-password-screen-not-able-to-select/

As per the above article the suggested resolution which works in some scenarios is the following: 

1) Create a user logon script entry in GPO for "runonce.exe" with parameters "/AlternateShellStartup".

2) Create a user registry entry via GPO as follows:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALatopWAMOverride = 1 (DWORD)

In addition to the above must set GPO  Computer Configuration > Administrative Templates > System > Group Policy > Configure Logon Script Delay to "Disabled" to solve the problem.

One more step to take in some scenarios is to add the following Registry key on the VDA servers to fully disable WAM and revert back to ADAL.

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableAADWAM"=dword:00000001

If the above Registry changes do not resolve the issue for you, please see Microsoft's documentation for more information on this issue.

Another potential solution suggested by Citrix Discussion Forums is the following:
1. Publish the following application in the Windows Server 2019 Citrix delivery groups: (make this Citrix app only visible to the domain admins group)

“C:\windows\systemapps\Microsoft.AAD.Brokerplugin_cw5n1htxyewy\Microsoft.AAD.Brokerplugin.exe”

2) When the second Office 365 authentication screen comes up this is the plug-in that it calls. Apparently you have to publish it in Citrix in order for this plug-in to work through Citrix.

The following article discusses the difference between the Office 365 ADAL (old) vs WAM (new) authentication methods: https://help.duo.com/s/article/5253?language=en_US

Last but not least, you should review article entitled "How to fix Office 365 sign-in or activation issues" for more Microsoft recommendations on Office 365 authentication issues.

Problem Cause #

This seems to be a Microsoft issue with the Web Authentication Manager component of the Windows Server 2019 OS.

You can find more detailed guidance and step-by-step procedures for analyzing and troubleshooting Citrix Virtual Apps and Desktops organized by category in my Citrix Virtual Apps and Desktops Troubleshooting e-book.

Update (Aug 2021) #

As per https://discussions.citrix.com/topic/403721-office-365-pro-plus-shared-activation-password-screen-not-able-to-select/page/9/#comment-2082698, you can try out the solution suggested in this Citrix discussion thread.

Sources #

https://support.citrix.com/article/CTX267071

https://discussions.citrix.com/topic/403721-office-365-pro-plus-shared-activation-password-screen-not-able-to-select/

Authentication, Office365, Windows Server
What are your Feelings

Powered by BetterDocs