Help GPO proxy setting users cannot get to email, teams or onedrive. I am totally stumped on this one
Denes, Laszlo
Hello Everyone would greatly appreciate some insights, thoughts.
Here's the background story. We have one GPO that applies to all computers and one GPO that applies to all users. We have one proxy appliance and we have set up, through the user configuration gpo, three registry settings to point to the proxy. Everything worked perfectly in terms of applications etc using this system but we had issues getting to the Microsoft MFA authentication pages and simply adding all the entries that are required, see below, was not sufficient. We have a mixture of F3 users dot go directly to the web for outlook, OneDrive, teams, sharepoint etc and the E3 users that have the application outlook 365 installed on their systems and use that. We tested access to the MFA sites by creating a copy of the domain user policy and trying different settings in a separate test OU. Eventually we started using the Internet settings (see below) rather than registry settings and added all the MS required sites and it worked perfectly and when the users launched the Cisco VPN the MFA option would come up and they would use their authenticator or text message to log in. The list of exceptions (proxy override) in the new way we're doing it is the same as it was when we did the registry settings, plus we added the extra sites for microsoft as shown below. The only thing I neglected to test, which in retrospect seemed silly now, but at the time it didn't occur to me that there would be an impact since we were not changing anything related to that was outlook the application using then you proxy exception settings and the new way of doing it.
The only thing that was done yesterday was to take the original user GPO and disable the three registry proxy settings and add the entries under the control panel Internet settings, shown below, and run GP update and that is when all hell broke loose. Suddenly users who had logged off and logged back on to get the new GPO have their outlook clients telling us that it was unable to connect to the exchange, as well as their teams appeared to be signed out and OneDrive was no longer syncing. Simply adding back the credentials was not sufficient and did nothing. All the users are in the same OU and got the same GPO. Some users were able to log out and log back in and it seemed to work again but other users nothing fixed the issue.
I have tried everything that I can think of to mitigate this problem for about two dozen users but really nothing worked. I have double checked that the GPO is applying and that the correct one is applying with the right settings and it is true and if I switch gpo's, I created an empty one just to validate that it's applying then that is true as well and they all apply. I've checked the sysvol replication on the two domain controllers to make sure that they are set up with the same GPO settings and that is also true.
Reverting back to the previous settings by re enabling the three registry items for the proxy and deleting the settings I added under the Internet settings did absolutely nothing (my expectation was it would remove anything that was causing the issue and just go back to status quo) and although the GPO applied with the correct settings (Internet Settings option was removed and 3 registry items enabled again as it was before) and I can clearly see through GP result and RSOP that the settings are correct again the users cannot connect using the outlook application (outlook does not launch at all -stuck at load profile- or cannot connect) and it applies to OneDrive and teams as well and these three symptoms are always appearing at the same time.
The users are all on the same network and no other changes were made in our environment and I've confirmed this with all of my colleagues and that includes the proxy appliance itself. We rebooted the proxy appliance several times and it made no difference and I didn't think it would but we tried anyway. I've tried to reset my Internet connection net SH winsock as I read about that on the sites but that did nothing either. Rebooting the machines also didn't work for the majority of the users although we had some users with exactly the same symptoms with that seemed to work. The only thing that finally helped and I have replicated this as a successful Band-Aid fix was to completely delete the local user profile from the computer and then log in and allow the profile to rebuild itself and then sync onedrive and outlook again. I can confirm that all of the original settings that have been restored to the original GPO are being picked up properly and all the applications immediately work as before once profile is rebuilt. Obviously I don't want to do this on 40 or 50 systems.
I can only surmise that something somewhere in the local profile is holding onto a setting that does not get overwritten even though the GPO with the original settings applies properly. However I haven't got a clue what else to look at at this point. Any help is greatly appreciated. At some point we will have to try this MFA again and the next time I will be sure to test the outlook application one drive and teams once we've made the change but right now I need to mitigate this issue for all of those users. Anyone ever come across anything like this. Users dot RF3 and go directly to outlook teams and OneDrive on 365 Microsoft have no issues whatsoever as well as going directly to the web version of these applications, even for users that are having issues with the clients, works seamlessly. Help help help
login.microsoftonline.com;*.aadcdn.msftauth.net;*.aadcdn.msftauthimages.net;*.aadcdn.msauthimages.net;*.logincdn.msftauth.net;login.live.com;*.msauth.net;*.aadcdn.microsoftonline-p.com;*.microsoftonline-p.com;*.portal.azure.com;*.hosting.portal.azure.net;*.reactblade.portal.azure.net;management.azure.com;*.ext.azure.com;*.graph.windows.net;*.graph.microsoft.com;*.account.microsoft.com;*.bmx.azure.com;*.subscriptionrp.trafficmanager.net;*.signup.azure.com
Many thanks in advance for your time.
Regards,
Laszlo
Laszlo Denes
Technical Analyst Servers
Information Systems
The Salvation Army Toronto Grace Health Centre
650 Church Street, Toronto, ON M4Y 2G5
f: 416-925-3211
Exceptional and compassionate care for all.
Denes, Laszlo
Addendum
I moved a user with the issue into an OU that has no GPO and verified that none of the user (status quo as per GPO that applies) GPO settings are applied for that user. However, oddly enough the proxy settings were still there so it must be getting it from somewhere. Any idea where those settings are for a user in the registry?
Denes, Laszlo
1 more final update. I checked the registry setting under the current user soft ms windows current internet settings
After I moved them to the OU with no GPO (that removed all other former GPO items) and there were no registry settings for proxy in the registry BUT they still showed up under Internet Options and I cannot figure out where it came from since no GPO was applied at that point and no settings in registry.
When I delete the user profile (account still in no GPO OU) everything worked again once they signed in and we reconnected outlook, onedrive, teams and there were no proxy settings anymore under internet options or any of the browsers… I then moved the account back into the OU with the GPO (same as before) and everything continued to work for the applications but also the proxy settings were there again using the values of the 3 registry keys we had before and reverted to…
WHERE DID IT GET THE PROXY VALUES FROM IF THERE WAS NO GPO AND NO REGISTRY SETTINGS????????????????????