Tonight I had an issue where I was unable to log into one of my client’s PowerApps tenant using PowerApps from the app store. I tried with several android phones and all had the same issue (although iPhones did not). The symptom was that after entering my email address, I was redirected to a loading screen for a short time and then returned to the logon page. While the PowerApps client was not playing ball, I was able to connect to PowerApps site via the Chrome browser on the device.
Now my client uses their own ADFS, so I felt the issue might be related to local configuration or a certificate problem. After doing a little bit of reading, I came across this article, which let me to the SSL analyser tool at ssllabs.com. As the article predicted, when I ran SSL analyser against my client’s ADFS URL, my issue was related to certificate paths.
The article states that is you see “extra download” in your certification paths as shown below, Android will have an issue with it. Quoting from the support article: “Android does not support downloading additional certificates from the authorityInformationAccess field of the certificate. This is true across all Android versions and devices, and for the Chrome browser. Any server authentication certificate that’s marked for extra download based on the authorityInformationAccess field will trigger this error if the entire certificate chain is not passed from Active Directory Federation Services (AD FS).”
Now the article talks about a change to your ADFS configuration to address this issue, but I also wanted to make it clear that this can be addressed (at least for PowerApps) on a per-device basis. In my client’s case, the problematic certificate was an Entrust certificate called Entrust Certification Authority – L1K.
All I did to fix it was using my phone, visited the Entrust root certificates page and clicked on the “Entrust Certificate Authority L1K” link. The certificate was downloaded and when I ran it, I was presented with a screen to give it a display name and confirm it was to be used for “VPN and apps”.
Once I did this. I could log into PowerApps again.
Hope this helps someone else out there…