Office 365 applications fail to authenticate with Endpoint Protection Web Security Services Integration enabled
Last Updated March 04, 2019
Windows 8 and newer computers fail to authenticate to a 3rd party authentication server when the Symantec Endpoint Protection (SEP) client is configured to use Web Security Services (WSS) Traffic Redirection (WTR).
The SEP client's WTR functionality configures the client to send all Web traffic on port 443, and 80 to a local proxy service listening on port 2968. This traffic is then forwarded to the WSS infrastructure.
Microsoft Office uses a Microsoft App called Work or school account to authenticate to a 3rd party identity provider, such as corporate Active Directory Federation Services (ADFS), or a SAML Identity Provider (IDP). Microsoft Apps (self-contained applications downloaded from the Microsoft Store) cannot connect to localhost by default.
Create an exemption to allow the Work or school account Windows App to connect to localhost.
Close any open Office windows, or error messages relating to failed Office 365 authentication
Issue the following command from an elevated command-prompt: CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.aad.brokerplugin_cw5n1h2txyewy
Confirm the application exemption applied correctly:
Issue the following command from an elevated command-prompt: checknetisolation.exe LoopbackExempt -s
The list of exempted applications will include the following on a successful attempt: Name: microsoft.aad.brokerplugin_cw5n1h2txyewy SID: S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272
Restart the Office application and confirm you are able to authenticate to your 3rd party IDP
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe