KnowledgeBase: Logging in to the Intune Company Portal App results in an error “Could not sign in” on Android phones with Chrome 56, and up

AndroidThis morning I read a blogpost by John Arnold on the Intune Support TechNet Blog on a strange Intune-related error on Android Phones when accessing the Company Portal app.

As it turned out, this is an Active Directory Federation Services (AD FS)-related certificate issue, so I thought I’d share it here as well.

 

The situation

When you use Microsoft Intune, end users in your organization can use the Intune Android Company Portal app to install apps, check compliance and retire devices among other things. It’s a helpful resource for organizations looking to adopt a Shift Left strategy to lower support cost by enabling end users to solve common IT problems themselves.

In Hybrid Identity implementations, all authentication requests to Microsoft Online Services, including the Company Portal and apps, can be redirected to an organizations Active Directory Federation Services (AD FS) implementation.

Devices running current versions of Android are configured to automatically update apps. Under the hood, the Android Company Portal app on Android leverages the built-in Chrome browser.

 

The issue

When an Android device has (automatically) upgraded its browser to Chrome version 56 (and up), and the end user for an organization that leverages Hybrid Identity using Active Directory Federation Services (AD FS), opens the Android Company Portal app, the app shows an error:

Error
Could not sign in. You will need to sign in again. If you see this message again, please contact your IT admin.

 

After pressing OK, the error persists.
Of course, IT admins are swamped with calls, this way.

 

The cause

The error is caused by the Active Directory Federation Services (AD FS) implementation using a service communications certificate that utilizes the SHA-1 hashing algorithm.

Starting with Chrome 56, Google enforces its policy to stop support for certificates that utilizes the SHA-1 hashing algorithm.

 

The solution

The   service communications certificate for the Active Directory Federation Services (AD FS) implementation needs to be replaced by a certificate that utilizes the SHA-2 hashing algorithm.

Note:
Certificates for intermediate Certification Authorities (CAs) and Root Certification Authorities (CAs) may, for now, remain SHA-1 certificates.

The links below walk you through creating a certificate request for a future-proof AD FS service communications certificate.

 

Concluding

It’s time to say goodbye to your SHA-1 certificates.

Further reading

AD FS Certificates Best Practices, Part 1: Hashing Algorithms
AD FS Certificates Best Practices, Part 2: Key size
AD FS Certificates Best Practices, Part 3: CNG-generated Private Keys
AD FS Certificates Best Practices, Part 4: Token Signing and -Decrypting Cert lifetime

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.