Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] ADFS 2019 + WAM throws exception #2836

Closed
6 tasks
bachoang opened this issue Aug 20, 2021 · 2 comments · Fixed by #3135
Closed
6 tasks

[Bug] ADFS 2019 + WAM throws exception #2836

bachoang opened this issue Aug 20, 2021 · 2 comments · Fixed by #3135
Assignees
@gladjohn
Labels
bug P2
Milestone
4.41.0

Comments

@bachoang
Copy link

Which version of MSAL.NET are you using?
MSAL.Net v4.35.1

Platform
.Net WPF app

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • [ x] Integrated Windows Authentication
    • Username Password
    • Device code flow (browserless)
  • Web app
    • Authorization code
    • On-Behalf-Of
  • Daemon app
    • Service to Service calls

Is this a new or existing app?
new

Repro
This is pure ADFS 2019 environment (no Azure AD involved). I am trying to use MSAL with WAM to do Integrated Windows Authentication to ADFS as suggested in #2771 (comment) but this does not work.

I am getting the following exception calling AcquireTokenInteractive using WAM:

System.ArgumentNullException
HResult=0x80004003
Message=Value cannot be null.
Source=mscorlib
StackTrace:
at System.StubHelpers.HStringMarshaler.ConvertToNativeReference(String managed, HSTRING_HEADER* hstringHeader)
at Windows.Security.Authentication.Web.Core.WebAuthenticationCoreManager.FindAccountProviderAsync(String webAccountProviderId, String authority)
at Microsoft.Identity.Client.Platforms.Features.WamBroker.WebAccountProviderFactory.d__0.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Platforms.Features.WamBroker.WamBroker.d__23.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Microsoft.Identity.Client.Platforms.Features.WamBroker.WamBroker.d__13.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Broker.BrokerInteractiveRequestComponent.d__9.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.d__10.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.d__11.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.d__8.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__12.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.d__2.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at active_directory_wpf_msgraph_v2.MainWindow.<CallGraphButton_Click>d__3.MoveNext() in C:\Users\bhadmin.AZUREAD\Documents\sample\WAM\active-directory-dotnet-desktop-msgraph-v2\active-directory-wpf-msgraph-v2\MainWindow.xaml.cs:line 78

This exception was originally thrown at this call stack:
[External Code]
active_directory_wpf_msgraph_v2.MainWindow.CallGraphButton_Click(object, System.Windows.RoutedEventArgs) in MainWindow.xaml.cs

My code (modified from sample: https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2:

registered redirect URI in ADFS 3019 is "ms-appx-web://microsoft.aad.brokerplugin/{client_id}" for Native Desktop app

        var builder = PublicClientApplicationBuilder.Create("<client ID>")
            .WithAdfsAuthority("https://<adfs domain>/adfs/", false)
            .WithDefaultRedirectUri();
            builder.WithWindowsBroker(true);  // Requires redirect URI "ms-appx-web://microsoft.aad.brokerplugin/{client_id}" in app registration

        _clientApp = builder.Build();
        TokenCacheHelper.EnableSerialization(_clientApp.UserTokenCache);

...

                firstAccount = PublicClientApplication.OperatingSystemAccount;

try
{
authResult = await app.AcquireTokenSilent(scopes, firstAccount)
.ExecuteAsync();
}
catch (MsalUiRequiredException ex)
{
// A MsalUiRequiredException happened on AcquireTokenSilent.
// This indicates you need to call AcquireTokenInteractive to acquire a token
System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");

            try
            {
                authResult = await app.AcquireTokenInteractive(scopes)
                    .WithAccount(firstAccount)
                    .WithParentActivityOrWindow(new WindowInteropHelper(this).Handle) // optional, used to center the browser on the window
                    .WithPrompt(Prompt.SelectAccount)
                    .ExecuteAsync();
            }
            catch (MsalException msalex)
            {
                ResultText.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
            }

Expected behavior
no exception and IWA authentication should work

Actual behavior
exception above

Possible solution
none for IWA

Additional context / logs / screenshots
IWA in my environment works fine outside of MSAL. I can use the browser to do IWA to ADFS server correctly.
@bachoang bachoang mentioned this issue Aug 20, 2021
Closed
4 tasks
@bgavrilMS bgavrilMS modified the milestones: 4.36.0, 4.37.0 Aug 24, 2021
@bgavrilMS
Copy link
Member

  1. AcquireTokenIntegratedWindowsAuth should probably just call the broker (ATS) if enabled
  2. Investigate the bug

@pmaytak pmaytak modified the milestones: 4.37.0, 4.38.0 Oct 23, 2021
@trwalke trwalke modified the milestones: 4.38.0, 4.39.0 Nov 19, 2021
@pmaytak pmaytak modified the milestones: 4.39.0, 4.40.0 Nov 29, 2021
@bgavrilMS bgavrilMS changed the title [Bug] Null Reference Exception trying to use MSAL.Net to do Windows Integrated authentication with ADFS 2019 via WAM [Bug] ADFS 2019 + WAM throws exception Jan 6, 2022
@bgavrilMS bgavrilMS modified the milestones: 4.40.0, 4.41.0 Jan 10, 2022
@gladjohn gladjohn mentioned this issue Feb 2, 2022
Merged
@gladjohn
Copy link
Contributor

gladjohn commented Feb 9, 2022

This has been fixed in MSAL 4.41.0

@gladjohn gladjohn mentioned this issue Feb 9, 2022
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gladjohn gladjohn

Labels
bug P2
Projects
None yet
Milestone
4.41.0
Development

Successfully merging a pull request may close this issue.

WAM Fix for ADFS 2019 AzureAD/microsoft-authentication-library-for-dotnet
5 participants
@bgavrilMS @bachoang @trwalke @pmaytak @gladjohn