Office365 - SSO - wrong password

mdi.epost · March 27, 2020, 12:18pm

Hi Folks,
maybe I miss a detail
We have a test USC connected to O365 using the UCS connector. But it’s not’s working as expected:

here’s what we did and what happens:

add a “normal user” to UCS, enable o365
go to o365 login page and enter dummy@test.de
o365 adds user to Azure AD (with student license)
get message: wrong password

So basically two questions: why does o365 rject my password. Checked at ucs and login is possible?
How to assign other licenses than student?
How to define groups in UCS that will be given to o365?

Any idea / hint would be highly appreciated…

thanx,

Mat

damrose · March 27, 2020, 1:24pm

Where (on which page) do you get the ‘wrong password’ message?

To enable specific licenses and fine tune which service plans get enabled you can follow this article: https://wiki.univention.de/index.php/Microsoft_Office_365_Connector

You can set the UCR variable office365/groups/sync to yes and restart the univention-directory-listener service to enable group sync. Once a user group is modified it is checked if it should be synced to the Azure AD.

mdi.epost · March 27, 2020, 5:16pm

hi,
thanx for the UCR hint - I always forget to check this first

At https://login.microsoftonline.com/ I get “account or password is not correct”. here I use the email adress instead of the the UCS username (username is something like asb123 email is User Principal Name (ab.12@test.de)

On O365 login is allowed for this user and licenses are assigned. And when I set a new password at O365 admin center login is possible. Seems O365 is not able to use my UCS to log me in.

Do I missunderstand the scope of this conncector?

damrose · March 30, 2020, 3:26pm

The key concept for the connector is that the user password does not leave the UCS domain. This has the consequence that we do not sync passwords into the Azure cloud.

Therefore, Single Sign-On has to be used with the Office365 connector. The wizard describes the required steps to configure the Azure AD for Single Sign-On.

mdi.epost · March 31, 2020, 3:32am

thanx for confirmation that I understood O365 connector right…

however, even though I followed the wizard, I can’t log in. Maybe one remark: the laptop / computer is NOT part of the domain and just using the web interface from O365 to log in. Is O365 only working for clients in the domain?

Or do you have an idea where to start debugging? At the end we need a solution that will use UCS for O365 login just like we have for NextCloud too…

thanx in advance

damrose · March 31, 2020, 9:17am

Using the Office365 services is possible from any computer that can access the Office365 website as well as the UCS Single Sign-On loginpage. The computer does not have to be joined into the UCS domain.

If i understood you correctly, after entering the username at the Microsoft loginpage, you can also enter your password on that page. The user should get redirected to the UCS Single Sign-On login. If that is not the case, it indicates that the powershell script offered by the wizard has not been run or has not run successfully.
Open the setup wizard again, there is a button to get to the page where the configuration of Single Sign-On is described.

mdi.epost · March 31, 2020, 9:44am

any chance to get to this script without going through the whole wizard?

damrose · March 31, 2020, 3:01pm

Did you try this? The script can be downloaded on that page.

mdi.epost · April 1, 2020, 11:07am

whooo… that did the trick. Seem I either missed the script or it did not run sucessfully. However - re-run the script and it’s workig like a charm…

But unfrtunately this leads back to another post:

Even though I can solve thsi by tweaking the apache configs this will not survive an update or ucr commit… any idea to the other post?