Closed hugo-syn closed 11 months ago
In this case its not easy for me to diagnose without further context, but it looks like error code AADSTS81016
shows that the tenant does not support seamless SSO. This blog may help https://guillaumeben.xyz/Microsoft-365-enumeration/
I would recommend checking if your tenant is managed or federated, typically I see STS errors when spraying a federated environment with a technique that targets managed tenant users. You can check tenant type by using this link and changing domain.com
to your target tenant domain https://login.microsoftonline.com/getuserrealm.srf?login=username@domain.com&xml=1
Closing as this is not tool related, please re-open if there is a bug to be fixed
Yes but my tenant seems to be managed <NameSpaceType>Managed</NameSpaceType>
:
$ curl -isk "https://login.microsoftonline.com/getuserrealm.srf?login=user@redacted.com&xml=1"
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
Expires: -1
[...]
<RealmInfo Success="true">
<State>4</State>
<UserState>1</UserState>
<Login>user@redacted.com</Login>
<NameSpaceType>Managed</NameSpaceType>
<DomainName>redacted.com</DomainName>
<IsFederatedNS>false</IsFederatedNS>
<FederationBrandName>redacted2.com</FederationBrandName>
<CloudInstanceName>microsoftonline.com</CloudInstanceName>
<CloudInstanceIssuerUri>urn:federation:MicrosoftOnline</CloudInstanceIssuerUri>
</RealmInfo>
Interesting, they must just not use the seamless SSO functionality. Any of the other spraying commands would work most likely
Hi, I have the following error when I use the
azuresso
plugin with a valid and invalid login/password, it saysInvalid STS request
do you know what's happening ?