0

We have a code that logins to Sharepoint Online using : https://login.microsoftonline.com/extSTS.srf or https://login.microsoftonline.com/RST2.srf, but recently we starting to get authentication failed saying that "Incorrect Username or Password" and after some retries it returns:

"0x80048823 message : AADSTS70002: Error validating credentials. AADSTS50053: You've tried to sign in too many times with an incorrect user ID or password."

While using same username and password to login in the browser works fine, and neither password or username were changed, also code didn't changed. As same code works fine for another Sharepoint tenants. Seems that something changed in the Microsoft login servers, where it's started to not accept user credentials, while web browser login works fine.

Please advise.

Thanks

SlavaG
  • 518
  • 8
  • 28
  • I'm researching the same thing, it started on 8/1/2018 for us with no known changes on our end. – LAROmega Aug 10 '18 at 13:10
  • 1
    Hope MS guys reading this :) – SlavaG Aug 10 '18 at 20:01
  • Seems that Microsoft broke something in their authentication servers, as more and more sharepoint tenants are getting this error, and there's no one to talk with. – SlavaG Aug 14 '18 at 21:33
  • 1
    Well, thanks to MS support team, they send me a link : https://github.com/s-KaiNet/node-sp-auth that explains how need to do authentication in the case of ADFS where for the 365 / Sharepoint tenant defied their own STS server. So, some adjustment need to be done, there's different flow. But, definitely this was working 3 weeks ago, but seems that MS disabled on purpose or by bug the single authentication for Managed (Online) and Federated (ADFS) authentication. But seems that we found a solution, thanks for MS support team. – SlavaG Aug 17 '18 at 20:48
  • Thanks @Slavag. Any solution is good news at this point. We've been bouncing around support teams here. – LAROmega Aug 17 '18 at 21:34
  • A point of clarification, did you need to switch from SAML to ADFS to get this working again? – LAROmega Aug 20 '18 at 17:07
  • It still SAML but you have to make additional call to ADFS identity provider and SAML assertion, once you have it then rest is the same. – SlavaG Aug 20 '18 at 21:05

2 Answers2

1

Microsoft Rep has helped me get this far.

They had us create a "Cloud Only" user. This user was setup as "@" so if your name is bill and your corporate sharepoint site is name is FakeCompany.sharepoint.com then you would have the person as "bill@FakeCompany.onmicrosoft.com"

This user was able to login to https://login.microsoftonline.com/extSTS.srf by just passing username and password.

Our on prem AD users are still having issues, i mentioned this and got the following response.

There is no issue with sync as you are able to login to portal using the same account and password. The solution you need is documented in https://learn.microsoft.com/en-gb/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal#enable-direct-authentication-for-legacy-applications

You need to create a home realm discovery (HRD) policy where "AllowCloudPasswordValidation":true.

We have not yet implemented the last solution but the creating of a cloud account may help some of you.

Michael Goellner
  • 11
  • 3
0

So I think I understand what they are trying to say. There are 2 paths that you are able to authenticate with according to the node-sp-auth example.

"Managed" and "Federated"

"Managed" was the easier version and allowed for you to be able to just provide username and credentials in a soap assertion to login.

Federated is a lot more complicated. You need to first perform a post to Microsoft to validate the user hitting your adfs server. https://adfs.XXXXXXX.com/adfs/services/trust/13/usernamemixed

Then you take the saml:Assertion from that response and put it into the "Token" section of the call you make to https://login.microsoftonline.com/extSTS.srf utilizing the templates from the node-sp-auth.

I have C# code that performs all these steps but I am getting an error AADSTS70002: Error validating credentials. AADSTS50008: SAML token is invalid. AADSTS50006: Invalid signature. Signature verification failed.

Even though the signature is being generated by Microsoft in their SAML.

node-sp-auth code refrence is OnlineUserCredential.ts file.

If someone can figure out the last mile I can post a comprehensive C# solution.

Michael Goellner
  • 11
  • 3
  • One case in between it can ba federated, but works only as manged. We saw also this. Maybe it's your case. – SlavaG Aug 22 '18 at 21:04
  • As part of the code you do a "Realm" check and mine comes back "Federated" i have also tried the managed path but get the issues originally stated above. – Michael Goellner Aug 23 '18 at 15:46
  • I think it's a bit different template that you need to use, you can find it in https://github.com/s-KaiNet/node-sp-auth. – SlavaG Aug 23 '18 at 19:25
  • Once Federated didn't end up working I also coded the "Managed" process as part of "OnlineUserCredentials.ts" in C# and tried posting that as well. I still get the same error that is noted above. AADSTS70002: Error validating credentials. AADSTS50053: You've tried to sign in too many times with an incorrect user ID or password. – Michael Goellner Aug 27 '18 at 15:35
  • I also have this question posted on technet with a lot more information. https://social.technet.microsoft.com/Forums/en-US/1f1496a4-54a2-4f3b-9c19-eacb280d057c/microsoft-api-not-validating-credentials-to-get-a-token-to-pass-to-sharepoint?forum=onlineservicessharepoint – Michael Goellner Aug 27 '18 at 15:37