No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Please fix the authentication protocols - they just don't work properly

This question is answered This question is answered

Switching from one account to another, if I sign out and sign back in again, I have to go through the "you are not a member...." nonsense and sign in AGAIN. And still I get the daft "you are not a member..." routine. Is there anyway this could be made to work like every other service where "sign out" actually means what it says?

And I'm not looking for an explanation of why it happens, I'm asking to have it fixed so it works the way most people would expect it to work.   

Verified Answer
  • Hi mchv2.0,

    This is Jonis from Microsoft SharePoint Online Support.

    While you are “not looking for an explanation of why it happens”, I can assure you that we are fully aware of how the sign out is functioning in Office 365 and that it is by design. 

    Because your SharePoint Online web sessions are maintained by web browser cookies, the sign-out process for web services forces the session cookies to expire. These session cookies are used to maintain the application session. However, because the web browser is still running, the user still has a valid authentication cookie and is not required to sign in to the resource again. By default, this authentication cookie is valid for eight hours. It is force-cleared only when the user closes the web browser. Therefore, when the web browser tries to reload the application sign-in screen when a user signs out, the session cookie is cleared. However, the web browser is instantly authenticated by the authentication cookie. This authentication signs the user back in to the web application, and a new session cookie is generated.

    The kb2507767 article posted by, Robert Li MSFT Support, provides the appropriate method to clear the Claims Based Authentication Security Assertion Markup Language (SAML) token.  If you do not use that method to clear the security token it will be valid for its 8 hour lifetime.

    The error message “Your computer isn't authorized to perform this action. Please contact an administrator” sounds like a local UAC or local client administrator permissions issue.

    Correlation ID errors are generally temporary so I suggest that you attempt to navigate to that URL one more time and see if the issue resolves itself.

    If that does not answer your question please let me know as I will continue to monitor this thread for a few days and will reply to any additional posts or questions.

    1 out of 1 people found this post helpful.

All Replies
  • If what you suggest worked, I'd probably say it's a bad idea and isn't something I've ever seen anyone ask for. As it is, it doesn't work the way you describe at all. I was logged into an account and Sharepoint Designer and actively using both. I needed to check something in Explorer view so clicked a library "open with explorer" icon and got the error. It doesn't even give you an opportunity to log in again if that's required. There's no way I can find to get it to work other than closing the browser which is ridiculous AND I'm not even sure that works all the time. 

    I don't doubt the intentions are good but in real life it's overthought and far more complicated than it needs to be. As I've said before, I think most people expect that when they're signed in they'll have access to everything they're authenticated for and when they sign out, they get signed out. Even if it worked, this concept that you can be signed in but only have access to certain things for a certain time with no indication of what those things or that time is and no clear error messages telling you that, is frankly bizarre.

    You guys know more about this stuff than I and so I don't expect anything to be changed, but I can tell you all the users I'm in contact with are befuddled and often frustrated by log in problems. You've managed to turn something very basic - that's essential to effective cloud operations and should be simple and universally understood - into the most annoying aspect of 365.

  • Hi mchv2.0,

    I appreciate your honest assessment of the current SharePoint Online authentication process.  Because there are others that share your view on this subject, I feel it would be valuable for you to submit a comment using the feedback link located in the lower right hand corner of this thread.  Your comment combined with this thread provides valuable information that should be evaluated in conjunction with future releases of SharePoint Online.

    Microsoft’s main goal with SharePoint Online for Office 365 is continuous innovation to enable collaboration from anywhere, with anyone, on any device.

    I will continue to monitor this thread for a few days and will reply to any additional posts or questions.

  • Interesting to note that authentication doesn't even work for this community!

    If I'm logged in to a 365 account (in this case with a Live id) and attempt to sign into the community I get:

    Sorry, there was a problem with your last request!

    Either the site is offline or an unhandled error occurred. We apologize and have logged the error. Please try your request again or if you know who your site administrator is let them know too.

     

    The only way to get logged in is to clear cache. Is this how things are supposed to work?


  • Hi mchv2.0,

    The procedure that you detailed in your post, I perform multiple times a day.  This commonly happens to me, when I am working with a SharePoint Online tenancy and need to check the SharePoint Online Community Forums.

    When I am logged into SharePoint Online for Office 365 using Internet Explorer, and need to check the SharePoint Online Community forums, this is the process I follow to change to a community forums enabled SharePoint Online user account:

    1)    Logout the current SharePoint Online account and close all browser windows

    2)    Open one browser window, clear the cache, then again close all browser windows

    3)    Login the SharePoint Online user ID that has community forums access

    4)    If login fails repeat step 2

    Another option would be to use an Internet Explorer InPrivate session, as that is independent of the normal IE security token.  To open an IE private session from the browser select ctrl-shift-P.  It is still recommend that you close all private session browser windows, if you switch to another SharePoint Online user ID.

    If that does not solve your question please let me know as I will continue to monitor this thread for any additional posts or questions.

  • Jonis,

    I think 99% of people would agree that's an absurd process. It isn't required by any other online service I've ever used. Clearing the cache just to switch id's? 

    And your experience doesn't match mine which is all the more disturbing. Just to be clear I only get the error message I posted above if I'm already logged in to a 365 account with a Live id. If I'm logged in with a MOS id that doesn't have a community account, it asks me to set one up but allows me to sign in with another id.  That is reasonable. 

    So I guess there's a bug somewhere in the different way community authentication handles Live and MOS ids. The error message above is silly because it tells you there's a system problem but gives no indication of what the problem is or how to fix it. And having to clear your cache just to log in is well, ridiculous.

  • Hi mchv2.0,

    While the authentication issues may vary between our posts, the resolution is still to clear the cache and the cookies.

    When I researched the error message you posted, I found numerous non-Microsoft links detailing this error in conjunction with Firefox and their community forums sites.  Because these articles are from various companies and corporations, the issue is with the internet browser and community forums authentication.  While SharePoint Online and the SharePoint Online community forums have similar authentication protocols and SharePoint Online has a role in this issue, this is a community forums authentication error.

    Because I am not able to confirm the information provided by the external sourced articles I reviewed, I have not included those links in this post.  To review those links, I recommend that you perform a Bing search for: ‘Either the site is offline or an unhandled error occurred Firefox’.

    It is important to note that the common resolution is to clear the cache and the cookies.

    I will continue to monitor this thread for a few days and will reply to any additional posts or questions.

  • It has nothing to do with the browser but I agree it is related to community forums and the way 365 authentication works. We had the same issue with the OLSB forum but at least there you could close the forum window and log in with another id. That doesn't work with 365. Once again, I've only experienced this with MSFT ids and forums, so somehow other people have figured out a better way to do it. That's all I'm asking for as having to clear cache just because I'm logged in with another 365 associated Live id isn't realistic at all. 
  • Hi mchv2.0,

    SharePoint Online for Office 365 was designed with strong two-factor authentication to improve security by requiring users to meet two authentication criteria, a user name/password and a service security token.  The design provides a high degree of security, continuity, privacy, and adherence to compliance policies and controls.

    It is likely that the stringent standards established by the Microsoft Risk Management program for Office 365 are not “required by any other online service” that you have ever used.

    If you have not done so already, submit a comment using the feedback link located in the lower right hand corner of this thread.  Your comment combined with this thread will provide valuable authentication recommendations in conjunction with future releases of SharePoint Online.

    I will continue to monitor this thread and will reply to any additional posts or questions.

  • As I said before :"I don't doubt the intentions are good " but you have to balance security and usability. A highly secure system that no one wants to use doesn't do any of us any good. And how do we explain the varying experiences and lack of consistency reported by users (including yourself)?  Surely a buttoned down, secure system would act the same for everyone? My feeling is we're paying a high price in terms of usability for questionable - or at best, inconsistent -  security.
  • Here we go again -  a new twist. Trying the member log in link on a website, I am now only presented with the "MSFT ACCOUNT" log in. I'm told my MOS id "isn't a MSFT account". I tried office365.com,,,same thing. In order to log back in I had to clear cache. So now I have to stop what I'm doing to futz around just to get logged into a service I'm expected to pay for? This is how Office 365 "enhances my productivity"? Would it be so hard to offer the option of logging in with an MOS id? If MSFT insists on having 2 separate authentication systems, is it too much to ask that the user isn't penalized for that dumb idea?

    If this is how it's going to be, I and untold numbers of other people, will be forced to abandon all MSFT products. No one in their right mind would put up with this.

  • This issue make me remember a car that I used to owned.. It was voted the most secure car in the world, great anti theft system, in fact it was so so good that not only the thief can´t open it as I was locked out several times (and even better, some owners were locked inside they own cars lol)...

    Microsoft, you could do so much better, every time you try to look to the side and hope that goes away you lose clients...

  • Hi mchv2.0,

    SharePoint Online authentication can require customers to clear the cache when they change between Microsoft Online Services ID’s.  For me this is a normal process within the scope of Microsoft Online Hosted Services and life in the Office 365 cloud.  It is important to note that the clear cache process is generally not required for users with only one Microsoft Online Services ID and a dedicated workstation.

    I understand your desire for a blend of enhanced productivity and security in future releases of SharePoint Online, however, the authentication mechanism must still provide a high degree of security, continuity, privacy, and adherence to compliance policies and controls.

    I would like to note that SharePoint Online authentication does vary by plan, for example, some Enterprise customers deploy single sign-on by integrating Office 365 identity federation and Active Directory Federation Services (ADFS).

    I will continue to monitor this thread and will reply to any additional posts or questions.

  • For me this is a normal process within the scope of Microsoft Online Hosted Services and life in the Office 365 cloud.

     

    It may be for you but not for the average person trying to run a business. For them, if accessing "life in the O365 cloud" requires all these daft workarounds, they'll seek the cloud elsewhere.

    You've highlighted the essential problem: you think making adjustments like clearing cache is normal presumably because you're used to dealing with MSFT products. I doubt consumers will put up with the frustration and confusion the bizarre authentication system causes for long. Especially not when they see they can set up several Google Drive accounts in about 3 minutes (for free), log in and out seamlessly and have everything synched across their devices. In this day and age if people have to figure out how to use a product, they don't want it, I'm afraid.

  • I totally agree.

  • Today I got locked out of the community again. When I tried to post or log in I got this:

    Sorry, there was a problem with your last request!

    Either the site is offline or an unhandled error occurred. We apologize and have logged the error. Please try your request again or if you know who your site administrator is let them know too.

     

    The exact scenario was:

    I was logged into a 365 account with the same credentials as the community using Firefox.

    I was logged into another account with different credentials in IE

    I logged out of that account and logged into a 3rd O365 account with a 3rd set of credentials different from the other 2 (and only in IE). That id was an MOS id not a Live id.

    Immediately got the above error when trying to post here

    This time clearing cache didn't work. I logged out of all accounts and cleared cache in both browsers. Still couldn't log into the community though I could access it. 

    Opened new window in Firefox without doing anything else and was then able to log in.

    Does this make any sense to anyone? It's really getting old and the lack of any attempt to fix it is incredibly frustrating.

     

     
1|2|3