Windows 8 and newer computers fail to authenticate to a 3rd party authentication server when the Symantec Endpoint Protection (SEP) client is configured to use Web Security Services (WSS) Traffic Redirection (WTR).
The SEP client's WTR functionality configures the client to send all Web traffic on port 443, and 80 to a local proxy service listening on port 2968. This traffic is then forwarded to the WSS infrastructure.
Microsoft Office uses a Microsoft App called Work or school account to authenticate to a 3rd party identity provider, such as corporate Active Directory Federation Services (ADFS), or a SAML Identity Provider (IDP). Microsoft Apps (self-contained applications downloaded from the Microsoft Store) cannot connect to localhost by default.
This problem is fixed in WTR engine content 126.96.36.1992.