AAD Mobile Troubleshooting
Last updated
Last updated
Background:
A user is experiencing an "invalid credential" error when attempting to log in to a mobile app using OKTA.
The same credentials work on other platforms, including the mobile's Safari, except for O365.
The user is certain that the password entered is correct.
Logs tell us that the issue may be due to different encoding.
Capturing the network traffic will help diagnose the problem or provide evidence if escalation is needed.
Important Notes
Ensure the issue can be reproduced before performing these steps.
Handle the output file securely as it contains sensitive information.
Steps:
1. Prepare the Network:
- Connect the iPhone and the computer (used as a proxy) to the same network or subnet/VLAN.
- Ensure the Fiddler listening port (default is 8888) is not blocked on the computer. Temporarily disable the Windows firewall if necessary.
2. Install and Configure Fiddler on the Computer:
- Download Fiddler from https://www.telerik.com/download/fiddler
- In Fiddler, go to Tools -> Options -> Connections, and enable “Allow remote computers to connect”.
Configure Fiddler for HTTPS Traffic:
Go to Tools -> Options -> HTTPS, and check “Decrypt HTTPS traffic”. Install and trust the Fiddler Root Certificate on the computer by following the prompts.
4. Install Certificate Maker Plugin for Fiddler:
- Download and install the Certificate Maker Plugin from https://www.telerik.com/fiddler/add-ons
- Restart Fiddler to apply changes.
- Hover over the Online indicator on the Fiddler toolbar to display the computer’s IP addresses.
- Ensure Fiddler is capturing traffic (indicated in the lower-left corner of Fiddler).
Configure the iPhone:
Connect the iPhone to the same network as the computer via Wi-Fi. Disable 3G/4G connections.
Verify the iPhone can reach Fiddler by navigating to http://FiddlerMachineIP:8888 in a browser. This should display the Fiddler Echo Service page.
Go to Settings -> WLAN -> Select the connected Wi-Fi network -> Configure Proxy -> Manual.
Enter the IP address of the Fiddler machine in the Server box and the port (usually 8888) in the Port box. Ensure Authentication is off, then save the configuration.
In a browser on the iPhone, go to http://<FiddlerMachineIP>.fiddler:8888 and download the FiddlerRoot certificate from the Fiddler Echo Service webpage.
Open the FiddlerRoot.cer file and install it.
Go to Settings -> General -> About -> Certificate Trust Settings and manually enable full trust for the FiddlerRoot certificate. Accept the dialog about third-party eavesdropping.
Reproduce the Issue:
On the iPhone, open “Authenticator” and attempt to log in to reproduce the issue.
Once the issue is reproduced, stop Fiddler capturing by clicking “Capturing” in the lower-left corner of Fiddler.
Save the captured sessions by clicking File and selecting Save.
