How to fix issue logging into Office Mobile on Android with ADFS 3.0

Office on android

How to fix issue logging into Office Mobile on Android with ADFS 3.0

There have been some issues identified using Office Mobile Apps on Android devices when using ADFS 3.0 which are caused by the fact that the Android apps don’t support Server Name Indication (the ability to run multiple SSL certificates on a single IP address).

If your ADFS implementation is affected by this issue, you will receive an error message similar to “Could not contact the server.” even if you have network connection and all of your login settings (Email Address and Password) are correct.

NOTE – The fix outlined below can cause problems when adding / removing proxy servers from an ADFS deployment. You should remove the certificate bindings before adding Proxy servers to the farm.

How to Fix

Firstly, to ensure that ADFS is working and your certificates for ADFS are correct go to the following link for your site from your Android mobile device and check that there are no certificate errors: https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx
If you can access that page without certificate errors move on to the following steps:

1. From an elevated Powershell window run the following command:

netsh http show sslcert

This will return a result similar to the following:

SSL Certificate bindings:
————————-
Hostname:port : fs.domain.com:443
Certificate Hash : b776e5c4ad96ed43cbd332440a6aa0dd9334b01a
Application ID : {5d89a20c-beeb-4329-9447-3246686b944e}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : DisabledHostname:port : fs.domain.com:49443
Certificate Hash : b776e5c4ad96ed43cbd332440a6aa0dd9334b01a
Application ID : {5d89a20c-beeb-4329-9447-3246686b944e}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled

2. Take note of the Certificate Hash and the Application ID that is returned in the output

3. Add the certificate. Here’s how the command would look using my example above:

netsh http Add SSLCert IPPort=0.0.0.0:443 certhash=b776e5c4ad96ed43cbd332440a6aa0dd9334b01a appid={5d89a20c-beeb-4329-9447-3246686b944e}

Note – The above command should be run on all ADFS Proxy servers. If mobile devices will be used on the internal network, this will also have to be done on the internal ADFS servers. You should enter the local IP Address of the respective ADFS Servers and the ADFS Proxy / WAP servers when running this command.

If the above command completes successfully, you will see the following response from the shell:

SSL Certificate Added Successfully