This morning I read a blogpost by John Arnold on the Intune Support TechNet Blog on a strange Intune-related error on Android Phones when accessing the Company Portal app.
As it turned out, this is an Active Directory Federation Services (AD FS)-related certificate issue, so I thought I’d share it here as well.
When you use Microsoft Intune, end users in your organization can use the Intune Android Company Portal app to install apps, check compliance and retire devices among other things. It’s a helpful resource for organizations looking to adopt a Shift Left strategy to lower support cost by enabling end users to solve common IT problems themselves.
In Hybrid Identity implementations, all authentication requests to Microsoft Online Services, including the Company Portal and apps, can be redirected to an organizations Active Directory Federation Services (AD FS) implementation.
Devices running current versions of Android are configured to automatically update apps. Under the hood, the Android Company Portal app on Android leverages the built-in Chrome browser.
When an Android device has (automatically) upgraded its browser to Chrome version 56 (and up), and the end user for an organization that leverages Hybrid Identity using Active Directory Federation Services (AD FS), opens the Android Company Portal app, the app shows an error:
Could not sign in. You will need to sign in again. If you see this message again, please contact your IT admin.
After pressing OK, the error persists.
Of course, IT admins are swamped with calls, this way.
The error is caused by the Active Directory Federation Services (AD FS) implementation using a service communications certificate that utilizes the SHA-1 hashing algorithm.
Starting with Chrome 56, Google enforces its policy to stop support for certificates that utilizes the SHA-1 hashing algorithm.
The service communications certificate for the Active Directory Federation Services (AD FS) implementation needs to be replaced by a certificate that utilizes the SHA-2 hashing algorithm.
Certificates for intermediate Certification Authorities (CAs) and Root Certification Authorities (CAs) may, for now, remain SHA-1 certificates.
The links below walk you through creating a certificate request for a future-proof AD FS service communications certificate.
It’s time to say goodbye to your SHA-1 certificates.
AD FS Certificates Best Practices, Part 1: Hashing Algorithms
AD FS Certificates Best Practices, Part 2: Key size
AD FS Certificates Best Practices, Part 3: CNG-generated Private Keys
AD FS Certificates Best Practices, Part 4: Token Signing and -Decrypting Cert lifetime