AAD Mobile Troubleshooting

Background:

  • A user is experiencing an "invalid credential" error when attempting to log in to a mobile app using OKTA.

  • The same credentials work on other platforms, including the mobile's Safari, except for O365.

  • The user is certain that the password entered is correct.

  • Logs tell us that the issue may be due to different encoding.

  • Capturing the network traffic will help diagnose the problem or provide evidence if escalation is needed.

Important Notes

  • Ensure the issue can be reproduced before performing these steps.

  • Handle the output file securely as it contains sensitive information.

Steps:

1. Prepare the Network:

- Connect the iPhone and the computer (used as a proxy) to the same network or subnet/VLAN.

- Ensure the Fiddler listening port (default is 8888) is not blocked on the computer. Temporarily disable the Windows firewall if necessary.

2. Install and Configure Fiddler on the Computer:

- Download Fiddler from https://www.telerik.com/download/fiddler

- In Fiddler, go to Tools -> Options -> Connections, and enable β€œAllow remote computers to connect”.

  1. Configure Fiddler for HTTPS Traffic:

    • Go to Tools -> Options -> HTTPS, and check β€œDecrypt HTTPS traffic”. Install and trust the Fiddler Root Certificate on the computer by following the prompts.

4. Install Certificate Maker Plugin for Fiddler:

- Download and install the Certificate Maker Plugin from https://www.telerik.com/fiddler/add-ons

- Restart Fiddler to apply changes.

- Hover over the Online indicator on the Fiddler toolbar to display the computer’s IP addresses.

- Ensure Fiddler is capturing traffic (indicated in the lower-left corner of Fiddler).

  1. Configure the iPhone:

    • Connect the iPhone to the same network as the computer via Wi-Fi. Disable 3G/4G connections.

    • Verify the iPhone can reach Fiddler by navigating to http://FiddlerMachineIP:8888 in a browser. This should display the Fiddler Echo Service page.

    • Go to Settings -> WLAN -> Select the connected Wi-Fi network -> Configure Proxy -> Manual.

    • Enter the IP address of the Fiddler machine in the Server box and the port (usually 8888) in the Port box. Ensure Authentication is off, then save the configuration.

    • In a browser on the iPhone, go to http://<FiddlerMachineIP>.fiddler:8888 and download the FiddlerRoot certificate from the Fiddler Echo Service webpage.

    • Open the FiddlerRoot.cer file and install it.

    • Go to Settings -> General -> About -> Certificate Trust Settings and manually enable full trust for the FiddlerRoot certificate. Accept the dialog about third-party eavesdropping.

  1. Reproduce the Issue:

    • On the iPhone, open β€œAuthenticator” and attempt to log in to reproduce the issue.

    • Once the issue is reproduced, stop Fiddler capturing by clicking β€œCapturing” in the lower-left corner of Fiddler.

    • Save the captured sessions by clicking File and selecting Save.

PreviousAAD Device PendingNextADO Service Principal

Last updated