[GH-ISSUE #116] Standard Users - Problem connecting to Microsoft Graph. Exit. #50

New issue

Closed

opened 2026-02-27 20:30:59 +03:00 by kerem · 13 comments

kerem commented 2026-02-27 20:30:59 +03:00

Owner

Copy link

Originally created by @CarlInLV on GitHub (May 29, 2024).
Original GitHub issue: https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/issues/116

Originally assigned to: @CarlInLV on GitHub.

Issue happens in the latest release

• I confirm that the issue happens in the latest release of Set-OutlookSignatures

Previously solved issues and documentation

• I have searched through previous issues and documentation, but have not found an answer to my issue

Code of Conduct

• I agree to follow this project's Code of Conduct

What happened?

Converting to issue from discussion #114

Set-OutlookSignaturesResult-CarlInLV.txt

Verbose log

(there's a lot more text before this but I can't include it because of the character limit - it's in the txt file above)
No Graph authentication possible.
1. Did you follow the Quick Start Guide in '.\docs\README' and configure the Entra ID/Azure AD app correctly?
2. If the "Via Prompt with LoginHint and Timeout" authentication message is diplayed:
   - Does a browser (the system default browser, if configured) open and ask for authentication?
     - Yes:
       - Check if the correct user account is selected/entered and if the authentication is successful
       - Check if authentication happens within two minutes
       - Ensure that access to 'http://localhost' is allowed ('https://localhost' is currently not technically feasible, see 'https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/System-Browser-on-.Net-Core' and 'https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/MSAL.NET-uses-web-browser' for details)
     - No:
       - Run Set-OutlookSignatures in a new PowerShell session
       - Check if a default browser is set and if "start https://github.com/Set-OutlookSignatures/Set-OutlookSignatures" opens it
       - Make sure that Set-OutlookSignatures is executed in the security context of the currently logged-in user
       - Make sure that the current PowerShell session allows TLS 1.2+ (see https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/issues/85 for details)
3. Run Set-OutlookSignatures with the "-Verbose" parameter and check for authentication messages
4. Delete the MSAL.PS Graph token cache: Encrypted file 'C:\Users\testact2\AppData\Local\MSAL.PS\MSAL.PS.msalcache.bin3', delete file to remove cached token.

Originally created by @CarlInLV on GitHub (May 29, 2024). Original GitHub issue: https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/issues/116 Originally assigned to: @CarlInLV on GitHub. ### Issue happens in the latest release - [X] I confirm that the issue happens in the latest release of Set-OutlookSignatures ### Previously solved issues and documentation - [X] I have searched through previous issues and documentation, but have not found an answer to my issue ### Code of Conduct - [X] I agree to follow this project's Code of Conduct ### What happened? Converting to issue from discussion #114 [Set-OutlookSignaturesResult-CarlInLV.txt](https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/files/15490020/Set-OutlookSignaturesResult-CarlInLV.txt) ### Verbose log ```Text (there's a lot more text before this but I can't include it because of the character limit - it's in the txt file above) No Graph authentication possible. 1. Did you follow the Quick Start Guide in '.\docs\README' and configure the Entra ID/Azure AD app correctly? 2. If the "Via Prompt with LoginHint and Timeout" authentication message is diplayed: - Does a browser (the system default browser, if configured) open and ask for authentication? - Yes: - Check if the correct user account is selected/entered and if the authentication is successful - Check if authentication happens within two minutes - Ensure that access to 'http://localhost' is allowed ('https://localhost' is currently not technically feasible, see 'https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/System-Browser-on-.Net-Core' and 'https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/MSAL.NET-uses-web-browser' for details) - No: - Run Set-OutlookSignatures in a new PowerShell session - Check if a default browser is set and if "start https://github.com/Set-OutlookSignatures/Set-OutlookSignatures" opens it - Make sure that Set-OutlookSignatures is executed in the security context of the currently logged-in user - Make sure that the current PowerShell session allows TLS 1.2+ (see https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/issues/85 for details) 3. Run Set-OutlookSignatures with the "-Verbose" parameter and check for authentication messages 4. Delete the MSAL.PS Graph token cache: Encrypted file 'C:\Users\testact2\AppData\Local\MSAL.PS\MSAL.PS.msalcache.bin3', delete file to remove cached token. ```

kerem 2026-02-27 20:30:59 +03:00

• closed this issue
• added the
  enhancement
  label

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 29, 2024):

Problem:

      Execute config file 'X:\Redacted\Set-OutlookSignatures\NAMERedactedconfig\NAMERedacted graph config.ps1'
VERBOSE:       Current user:

That looks as if your test user is not a domain use but a local user ... which I guess is not the case.

What's the output of the following PowerShell commands when your test user executes them?

([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value

Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\$(([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)\IdentityCache\$(([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)" -Name 'UserName'

<!-- gh-comment-id:2138168282 --> @GruberMarkus commented on GitHub (May 29, 2024): Problem: ``` Execute config file 'X:\Redacted\Set-OutlookSignatures\NAMERedactedconfig\NAMERedacted graph config.ps1' VERBOSE: Current user: ``` That looks as if your test user is not a domain use but a local user ... which I guess is not the case. What's the output of the following PowerShell commands when your test user executes them? ``` ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\$(([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)\IdentityCache\$(([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)" -Name 'UserName' ```

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@CarlInLV commented on GitHub (May 29, 2024):

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\testact2> ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value >>

Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache$(([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)\IdentityCache$(([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)" -Name 'UserName'
S-1-5-21-748878481-2559009712-601752613-1894
Get-ItemPropertyValue : Cannot find path 'HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\S-1-5-21-748878481-2559009712-60
1752613-1894\IdentityCache\S-1-5-21-748878481-2559009712-601752613-1894' because it does not exist.
At line:3 char:1

• Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\C ...

•   + CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...-601752613-1894:String) [Get-ItemPropertyValue], Item
   NotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyValueCommand
  
  

PS C:\Users\testact2>

<!-- gh-comment-id:2138174136 --> @CarlInLV commented on GitHub (May 29, 2024): Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\testact2> ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value >> >> Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\$(([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)\IdentityCache\$(([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value)" -Name 'UserName' S-1-5-21-748878481-2559009712-601752613-1894 Get-ItemPropertyValue : Cannot find path 'HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\S-1-5-21-748878481-2559009712-60 1752613-1894\IdentityCache\S-1-5-21-748878481-2559009712-601752613-1894' because it does not exist. At line:3 char:1 + Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\C ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...-601752613-1894:String) [Get-ItemPropertyValue], Item NotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyValueCommand PS C:\Users\testact2>

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 29, 2024):

What about whoami /upn?

<!-- gh-comment-id:2138176149 --> @GruberMarkus commented on GitHub (May 29, 2024): What about `whoami /upn`?

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@CarlInLV commented on GitHub (May 29, 2024):

test.account2@NameRedacted.Gov (the UPN is accurate)

<!-- gh-comment-id:2138179155 --> @CarlInLV commented on GitHub (May 29, 2024): test.account2@NameRedacted.Gov (the UPN is accurate)

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@CarlInLV commented on GitHub (May 29, 2024):

testact2 is the pre-Windows 2000 User logon name and Test.Account2 is the User logon name

<!-- gh-comment-id:2138181054 --> @CarlInLV commented on GitHub (May 29, 2024): testact2 is the pre-Windows 2000 User logon name and Test.Account2 is the User logon name

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 29, 2024):

Very strange. I need to think about that a bit.

<!-- gh-comment-id:2138184581 --> @GruberMarkus commented on GitHub (May 29, 2024): Very strange. I need to think about that a bit.

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 29, 2024):

I have seen this error only once, a few years ago. The root cause could never be determined, because the problem mysteriously and spontaniously solved itself.

Please test if the attached alpha version solves your problem.

Set-OutlookSignatures.rename-to-ps1.txt

<!-- gh-comment-id:2138245734 --> @GruberMarkus commented on GitHub (May 29, 2024): I have seen this error only once, a few years ago. The root cause could never be determined, because the problem mysteriously and spontaniously solved itself. Please test if the attached alpha version solves your problem. [Set-OutlookSignatures.rename-to-ps1.txt](https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/files/15490689/Set-OutlookSignatures.rename-to-ps1.txt)

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@CarlInLV commented on GitHub (May 29, 2024):

Same result with the standard account and also with the help desk account (has local admin permissions on the workstation).

Result-Alpha-Verbose-CarlInLV.txt
Result-AlphaTest-CarlInLV.txt

<!-- gh-comment-id:2138331917 --> @CarlInLV commented on GitHub (May 29, 2024): Same result with the standard account and also with the help desk account (has local admin permissions on the workstation). [Result-Alpha-Verbose-CarlInLV.txt](https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/files/15491268/Result-Alpha-Verbose-CarlInLV.txt) [Result-AlphaTest-CarlInLV.txt](https://github.com/Set-OutlookSignatures/Set-OutlookSignatures/files/15491272/Result-AlphaTest-CarlInLV.txt)

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 30, 2024):

We are one step further, because user detection is working now, so we have a login hint for Graph.

Integrated Windows Authentication fails with an unspecified error. Usually, the message is much more detailed.

Graph auth fails very fast. The whole process takes 17 seconds, although the timeout is configured for two minutes.

As you use a .gov domain: Is your tenant in the public Azure/M365 cloud, or do you use one of the national clouds (AzureUSGovernment, AzureUSGovernmentDOD)?

Are you sure that your default browser does not open? Maybe its in the background. What if you change your default browser to Edge?

Please also run a test with v4.12.0 instead of v4.12.2. It could be a bug in an auth library that was updated.

<!-- gh-comment-id:2138629298 --> @GruberMarkus commented on GitHub (May 30, 2024): We are one step further, because user detection is working now, so we have a login hint for Graph. Integrated Windows Authentication fails with an unspecified error. Usually, the message is much more detailed. Graph auth fails very fast. The whole process takes 17 seconds, although the timeout is configured for two minutes. As you use a .gov domain: Is your tenant in the public Azure/M365 cloud, or do you use one of the national clouds (AzureUSGovernment, AzureUSGovernmentDOD)? Are you sure that your default browser does not open? Maybe its in the background. What if you change your default browser to Edge? Please also run a test with v4.12.0 instead of v4.12.2. It could be a bug in an auth library that was updated.

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@GruberMarkus commented on GitHub (May 30, 2024):

I think that I focused on the wrong thing.

The error message for two different authentication mechanisms is identical and very generic and unspecific: "An error occurred while sending the request."

At the dame time, it works if you use an account with domain admin rights, but not with accounts that are unprivileged or ate local admins.

I think the real question is: Which (security) settings do you apply to your users, that are not applied to Domain Admins?

That could be Windows settings, antivirus and firewall configurations, and many more.

I think you should investigate on this direction - especially if v4.12.0 shows the same behavior as v4.12.2.

<!-- gh-comment-id:2139158348 --> @GruberMarkus commented on GitHub (May 30, 2024): I think that I focused on the wrong thing. The error message for two different authentication mechanisms is identical and very generic and unspecific: "An error occurred while sending the request." At the dame time, it works if you use an account with domain admin rights, but not with accounts that are unprivileged or ate local admins. I think the real question is: Which (security) settings do you apply to your users, that are not applied to Domain Admins? That could be Windows settings, antivirus and firewall configurations, and many more. I think you should investigate on this direction - especially if v4.12.0 shows the same behavior as v4.12.2.

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@CarlInLV commented on GitHub (May 30, 2024):

Our tenant is in the public Azure/M365 cloud (we just started using our .gov a month ago). I reverted back to 4.12.0 and ran another test. I am sure that the default browser does not open when I click OK to the popup message. I checked the running processes as well, no Chrome or Edge running in the background. Next I removed Chrome, set Edge as the default browser and ran another test - same result.
Next I will begin investigating our security settings since 4.12.0 showed the same behavior as 4.12.2.

<!-- gh-comment-id:2140988174 --> @CarlInLV commented on GitHub (May 30, 2024): Our tenant is in the public Azure/M365 cloud (we just started using our .gov a month ago). I reverted back to 4.12.0 and ran another test. I am sure that the default browser does not open when I click OK to the popup message. I checked the running processes as well, no Chrome or Edge running in the background. Next I removed Chrome, set Edge as the default browser and ran another test - same result. Next I will begin investigating our security settings since 4.12.0 showed the same behavior as 4.12.2.

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@CarlInLV commented on GitHub (May 30, 2024):

I just got it to work for our HelpDesk account (has local admin on the workstations). The change that I made right before that test was disabling the Carbon Black sensor (antivirus). Edit 1 - Testing with v.4.12.0. Edit 2 - now testing with a standard user account. Edit 3 - I noticed that when it works, the popup message doesn't appear.

<!-- gh-comment-id:2140996024 --> @CarlInLV commented on GitHub (May 30, 2024): I just got it to work for our HelpDesk account (has local admin on the workstations). The change that I made right before that test was disabling the Carbon Black sensor (antivirus). Edit 1 - Testing with v.4.12.0. Edit 2 - now testing with a standard user account. Edit 3 - I noticed that when it works, the popup message doesn't appear.

kerem commented 2026-02-27 20:31:00 +03:00

Author

Owner

Copy link

@CarlInLV commented on GitHub (May 30, 2024):

Adding Set-OutlookSignatures.ps1 to the antivirus exclusions list looks like it was the final piece of this puzzle. Set-OutlookSignatures is now working here with the standard users in addition to the power users & Domain Admins. Thank you, @GruberMarkus very much!

<!-- gh-comment-id:2141008625 --> @CarlInLV commented on GitHub (May 30, 2024): Adding Set-OutlookSignatures.ps1 to the antivirus exclusions list looks like it was the final piece of this puzzle. Set-OutlookSignatures is now working here with the standard users in addition to the power users & Domain Admins. Thank you, @GruberMarkus very much!

kerem referenced this issue 2026-02-27 20:31:15 +03:00

[PR #50] [MERGED] v3.2.2 #98

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v4.26.1

v4.26.0

v4.25.0

v4.24.0

v4.23.0

v4.22.0

v4.21.0

v4.20.4

v4.20.3

v4.20.2

v4.20.1

v4.20.0

v4.19.0

v4,18.3

v4.18.3

v4.18.2

v4.18.1

v4.18.0

v4.17.0

v4.16.1

v4.16.0

v4.15.0

v4.14.2

v4.14.1

v4.14.0

v4.13.0

v4.12.2

v4.12.1

v4.12.0

v4.11.0

v4.10.1

v4.10.0

v4.9.0

v4.8.1

v4.8.0

v4.8.0-beta.2

v1.3.0

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v2.0.0

v1.2.1

v1.2.0

v2.0.2

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.3.0

v2.3.0-beta1

v2.3.0-beta2

v2.3.0-beta3

v2.3.0-beta5

v2.5.2

v2.4.0

v2.4.0-beta1

v2.5.0

v2.5.0-beta1

v2.5.0-beta2

v2.5.0-beta3

v1.1.0

v1.0.0

v2.5.1

v3.6.1

v3.6.0

v3.5.1

v3.5.0

v3.4.1

v3.4.0

v3.3.0-alpha3

v3.3.0-alpha2

v3.3.0-alpha1

v3.3.0

v3.2.2

v3.2.1-beta3

v3.2.1-beta2

v3.2.1-beta1

v3.2.1

v3.2.0-beta1

v3.2.0

v3.1.0-alpha.54

v3.1.0-alpha.52

v3.1.0-alpha.51

v3.1.0-alpha.42

v3.1.0

v3.0.0-beta1

v3.0.0

v2.3.1

v2.3.0-beta4

v4.7.0

v4.6.1

v4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.1

v4.2.0

v4.1.0

v4.0.0

Labels

Clear labels   

bug

  

dependencies

  

documentation

  

enhancement

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

bug

dependencies

documentation

enhancement

invalid

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Set-OutlookSignatures-Set-OutlookSignatures#50

No description provided.