Can't sign in using SSO if ADAL and AD FS used in Skype for Business

Original KB number:   4508931

Symptoms

New users can't sign in to Microsoft Skype for Business 2016 on-premises using the Single Sign-on (SSO) method when Azure Active Directory Authentication Library (ADAL) and Active Directory Federation Services (AD FS) are used.

Existing profiles aren't affected by this issue. New users or users who deleted their profile while trying to sign in receive this error message:

An error occurred.

This issue also occurs on newly imaged computers if no user profile was created.

Cause

This issue occurs because the default authentication method changes to Web Account Manager (WAM) after upgrading to Microsoft Office 2016 version 16.0.7967.0000 or a later version.

Workaround

Add one of the following registry keys:

• Add the EnableWAM key to this subkey:

  HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Lync

  Name: EnableWAM
  Type: DWORD (32 Bit)
  Value: 0x00000000

• Add the EnableWAM key to this subkey:

  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0\Lync

  Name: EnableWAM
  Type: DWORD (32 Bit)
  Value: 0x00000000

• Add the DisableADALatopWAM key to this subkey:

  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity

  Name: DisableADALatopWAM
  Type: DWORD (32 Bit)
  Value: 1

  Note

  There's a similar key named DisableADALatopWAMOverride in the same location. This key isn't used by Skype for Business. Use DisableADALatopWAM if you choose this option.

More information

To prevent this issue, use Modern Hybrid Authentication. For more information, see Hybrid modern authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers.