We Cant Authenticate You Right Now Please Try Again Later

Skip to main content

Connection issues in sign-in later update to Office 2016 build 16.0.7967 on Windows x

• Article
• 02/fourteen/2022
• 7 minutes to read

• Applies to:

  Microsoft 365 Apps for enterprise, Role 2016

Is this page helpful?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to better Microsoft products and services. Privacy policy.

In this article

Note

Role 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more than information virtually this change, read this weblog post.

Overview

This article contains data near a new authentication framework for Microsoft Office 2016.

By default, Microsoft Microsoft 365 Apps for enterprise (2016 version) uses Azure Agile Directory Hallmark Library (ADAL) framework-based authentication. Starting in build 16.0.7967, Part uses Web Business relationship Manager (WAM) for sign-in workflows on Windows builds that are later than 15000 (Windows x, version 1703, build 15063.138).

General guidance

If y'all experience hallmark issues in Role application on Windows 10, we recommend to exercise the following actions:

• Update Office products to the latest build for your channel according to Update history for Microsoft 365 Apps for enterprise (listed by date).
• Make certain that you are running any of the following Windows builds:
  • Any build for Windows 10, version 1809 or a afterwards version
  • 17134.677 or later on builds for Windows 10, version 1803
  • 16299.461 or later builds for Windows ten, version 1709
  • 15063.1112 or afterwards builds for Windows 10, version 1703

Symptoms

You may feel ane of the post-obit symptoms after yous update to Microsoft Function 2016 build 16.0.7967 or a afterwards version on Windows 10.

Symptom i

When the overall network is working on your devices, Office applications may experience connection problems. You lot may come across a message that resembles the post-obit:

You lot'll need the internet for this.
We couldn't connect to one of the services we needed to sign you in. Please check your connection and try over again.
0xCAA70007

To determine whether you're experiencing this kind of issue, follow these steps:

1. Brand certain that you're running Role build 16.0.9126.2259 or a after build. (The latest build on your channel is slap-up. Encounter the general guidance in the Overview section.)

2. Open Event Viewer.

3. Become to Applications and Services Logs > Microsoft > Windows > AAD.

4. In the Operational logs, locate messages from XMLHTTPWebRequest that have the following design:

                     0x?aa7????,  0x?aa8????, 0x?aa3????, 0x102, 0x80070102                                  

5. Make sure that the fourth dimension of these errors is related to the time when you really had an Internet connexion. This is non an intermittent network issue because of the loss of a Wi-Fi connection or a wake-up subsequently hibernation and initialization of the network stack.

So, to determine whether your event is due to network environs or local firewall/antivirus software, follow these steps:

1. Open Edge (not Cyberspace Explorer) and go to https://login.microsoftonline.com. Navigation should country on https://www.function.com or your company'due south default landing page. If this fails, the issue is in a network surround or local firewall/antivirus software.

2. Open Edge (non Internet Explorer) in InPrivate mode and go to https://login.microsoftonline.com. Afterwards you enter credentials, navigation should land on https://www.function.com or your company's default landing page. If this fails, the issue is in a network environment or local firewall/antivirus software.

To resolve this issue, make sure that your local firewall, antivirus software, and Windows Defender don't block the following AAD WAM plug-in processes that engaged in token acquisition:

C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe

C:\Windows\System32\backgroundTaskHost.exe

Note The PackageFamilyName of the plugin is the following:

Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

Too, make sure that your network environment doesn't block the principal destination:

https://login.microsoftonline.com/

Notation This primary address covers many IP addresses (and many services). Some of these addresses may be blocked in the environment for no skilful reason, which causes intermittent problems in some devices while other devices work fine.

Symptom 2

When you attempt to open or save a document in Microsoft SharePoint Online, OneDrive for Business concern, or SharePoint, or yous try to synchronize email messages or your calendar in Microsoft Outlook, you're prompted for credentials. After you enter credentials, you're prompted again. This issue may occur for the following reasons:

• The Trusted Platform Module (TPM) flake or firmware is malfunctioning. Windows uses the TPM chip to protect your credentials. The bit may get corrupted or reset in some weather. To make up one's mind whether yous are experiencing this kind of effect, follow these steps:

  1. Open Event Viewer.
  2. Go to Applications and Services Logs > Microsoft > Windows > AAD.
  3. In the Operational logs, locate the errors that display the post-obit pattern: 0x?028????, 0x?029???? or 0x?009????

  To avoid this issue in future, we recommend that y'all update the TPM firmware.

  For Windows x, version 1709 or later versions: The operating system automatically detects situations that are related to TPM failures and provides a user recovery process that should occur automatically. If this process doesn't occur automatically, we recommend that you lot utilise this manual recovery method.

  For Windows 10, version 1703: An automatic process is provided for Hybrid Azure AD join. No automatic process is provided for other environment configurations. If the Hybrid Azure AD join process doesn't occur automatically, we recommend that you use this manual recovery method.

• A device is disabled past the user, the Enterprise administrator, or a policy considering of a security business concern or by mistake. To determine whether you are experiencing this upshot, follow these steps:

  1. Open Event viewer.
  2. Go to Applications and Services Logs > Microsoft > Windows > AAD.
  3. In the Operational logs, locate the following message:

  Description: AADSTS70002: Mistake validating credentials. AADSTS135011: Device used during the authentication is disabled.

  To resolve this issue, we recommend that the Enterprise administrator enable the device in Active Directory or Azure Agile Directory (Azure Advertizing). For information most how to manage devices in Azure Advertizement, encounter the Device management tasks section of the "How to manage devices using the Azure portal" topic on the Microsoft Docs website.

• The Enterprise administrator or a policy deleted a device considering of a security reason or by mistake. To verify that you are experiencing this issue, follow these steps:

  1. Open Event viewer.
  2. Go to Applications and Services Logs > Microsoft > Windows > AAD.
  3. In the Operational logs, locate the post-obit message:

  Description: AADSTS70002: Mistake validating credentials. AADSTS50155: Device is not authenticated.

  To resolve this issue, we recommend that you recover the device by using the manual recovery method. Notation If nobody on the Enterprise deleted the device, please file a support ticket and provide an instance of a device that is not recovered.

Manual recovery

To exercise a manual recovery of the computer, follow the advisable steps, depending on how the device is joined to the cloud (Hybrid Azure AD join, Add a work account, or Azure Advert join).

• Hybrid Azure Ad join

  Run the following control: ​​>dsregcmd /status

  The outcome should incorporate the post-obit fields (in Device state):

                    AzureAdJoined : YES DomainJoined : YES DomainName : <CustomerDomain>                                  

  The current logon user should exist a domain user. The affected identity should be the current logon user.

  Recovery (safe to do):

  Run the Dsregcmd /leave command in an administrative Command Prompt window, then restart the system.

• Add a work account

  Run the post-obit control: >dsregcmd /condition

  The consequence should contain the post-obit field (in User state):

                    WorkplaceJoined : YES                                  

  The device state can be set to any selection. The electric current logon user can be any user. The afflicted identity should be a work or school business relationship that you can meet in Setting > Accounts > Access work or school.

  Recovery (safe to do):

  Remove the work business relationship in Setting > Accounts > Access work or school, and and so restore the work account.

• Azure AD join

  Run the following command: >dsregcmd /condition

  The result should comprise the following fields (in Device state):

                    AzureAdJoined : Yep DomainJoined : NO                                  

  The current logon user should be an Azure Agile Directory (AAD) user. The affected identity should be the current logon user.

  Recovery:

  Note Support your information first.

  Create a new local ambassador. Disconnect from the domain (Setting > Accounts > Access work or school > Disconnect). And then, log on as the new local ambassador, and reconnect to Azure AD.

Symptom 3

The Role sign-in workflow stops or shows no on-screen progress. The sign-in window shows a "Signing in" message or a blank hallmark screen.

This event occurs because WAM is disabling non-HTTPS traffic to prevent security threats, such as someone stealing user credentials. To verify that you are experiencing this effect, follow these steps:

1. Open Event viewer.

2. Become to Applications and Services Logs > Microsoft > Windows > AAD.

3. In the Operational logs, locate the following bulletin:

   Navigation to not-SSL destination. Not-secure communication is prohibited. Canceling navigation.

To resolve this upshot and secure user credentials, nosotros recommend that you enable HTTPS on the Identity servers.

Symptom 4

Yous accept a non-persistent Virtual Desktop Infrastructure (VDI) surround that has a federated Identity Provider (IdP) that is configured equally Single-Sign On (SSO). You lot practice not expect to be prompted to activate or sign in because SSO is configured. However, you are prompted to sign in for each new session. Office ULS logs display the following error bulletin:

{"Action": "BlockedRequest", "HRESULT": "0xc0f10005"

Notation

Please open up a support instance if you experience this outcome. Nosotros require more log entry reports to assist isolate the effect.

More information

The following guidelines utilise to this commodity:

• On builds of Windows 7, Windows 8, Windows 8.one, or Windows 10 that are earlier than 15000, ADAL authentication is the only option.
• The Windows build should be later than 15000 (Windows 10, version 1703, build 15063.138, Generally Available). For more information, see Windows 10 release information.
• This article applies whether you utilise Microsoft Federation or non-Microsoft Federation solutions.

For more information, see the post-obit Cognition Base of operations article:

4347010 Error Code: 0x8004deb4 when signing in to OneDrive for Business

marlattandayseen.blogspot.com

Source: https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/connection-issue-when-sign-in-office-2016

Share this post