Issue: Citrix App Office 365 Activation Issue on Windows Server 2019

microsoft_365

Issue and Background

As we move Citrix Virtual Apps and Desktops\Service (CVAD\S) workloads to Windows Server 2019 we notice quite a few outcomes that are “different” and (who would think) do not work in this OS. One of the interesting gotchas discovered is an unexpected behavior of Microsoft 365 Apps for Enterprise (formerly Office 365 ProPlus) during the activation process; if the Office app is launched as a published app activation is impossible. Interestingly, this issue affects Microsoft’s own RDS implementations as well.

To summarize:

  • OS: Windows Server 2019 (any edition, latest updates).
  • Microsoft 365 Apps for Enterprise activation is failing when a published app (e.g., Word) is launched.
  • Activation works with no issues if done in the published desktop.
  • Affects Microsoft 365 native authentication as well as third parties such as Okta.
  • Office 2016 and older builds of Office 365 activate with no issues.
  • This does not affect Windows 10 OS.

So, what is happening here: the newest Office on the newest server OS cannot activate even using Microsoft’s native activation process?

The issue lies in the authentication process. Microsoft used Azure Active Directory Authentication Library (ADAL) framework-based authentication for older builds such as Office 2016. However, with modern builds, Office uses Web Account Manager (WAM) for sign-in workflows for activation. Surprisingly, there is a bug in Windows Server 2019 that breaks the WAM process for published apps. It is a known issue that “Microsoft is working on fixing it” since June 2020.

Here is what should be expected when launching Microsoft Word for the first time (native MS and Okta):

 

Authentication Experience with Microsoft as IdP:

Authentication Experience with Okta as IdP:

Trying to activate a seamless published Microsoft Word app will result in an email prompt followed by a complete “freeze” of your Word app.

Citrix has released an official CTX article for this issue. However, it only includes half of the workaround and does not provide sufficient details.

Resolution

To date, the only available fix is a work around that suppresses Web Account Manager (WAM) and reverts Office 365 back to Azure Active Directory Authentication Library (ADAL). This is a ‘per user’ fix and requires adding the following registry keys:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity "DisableADALatopWAMOverride"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity "DisableAADWAM"=dword:00000001

The above can be accomplished using Group Policy Preference (in a GPO):

Fixing Office 365 activation on Windows Server 2019 GPO GPP

Or even better with Citrix WEM:

Fixing Office 365 activation on Windows Server 2019 via Citrix WEM

These tips will save significant time during the deployment of Office on Windows Server 2019.

0 0 votes
Article Rating
Subscribe
Notify of
guest
3 Comments
Inline Feedbacks
View all comments
Marcus N.
Marcus N.
2 years ago

This!
Needed that article a few hundred hours earlier, but it did the trick!

I’m so glad and thankful!

Merry christmas!

Stephan
Stephan
2 years ago

Thanks! That solved our the problem with Outlook not authenticating and asking for a password without prompting ghe authentication windows on server 2019. Do you know if the bug is being fixed soon? ADAL will be eol this year right?

3
0
Would love your thoughts, please comment.x
()
x