azure-activedirectory-library-for-cordova icon indicating copy to clipboard operation
azure-activedirectory-library-for-cordova copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Cannot connect error when logging in via corporate WIFI

Open afourney opened this issue 9 years ago • 5 comments

Issue Description

This issue resembles the situation described here: https://github.com/AzureAD/azure-activedirectory-library-for-cordova/issues/80

When users (under @microsoft.com) attempt to login from a laptop connected to the corporate network, they receive the error:

"We can't connect to service right now. Check your internet connection or try this again later"

This occurs after they type their email address on the first screen, and are redirected.

Repro Environment Details

  1. We are are using version 8.1 of the plugin and are deploying to Windows 10 desktop UWP
  2. The problem occurs only when users are connected to the corporate WiFi, or to public WiFi +Corporate VPN. It works fine with wired connections to the corporate network.
  3. I cannot provide any traces from Fiddler because of certificate pinning

afourney avatar Nov 10 '16 19:11 afourney

Update: I think this issue it related to the ADAL bug here: https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/222

afourney avatar Nov 11 '16 17:11 afourney

Ok, more progress. When working in visual studio, adding: <Capability Name="privateNetworkClientServer" /> to the manifest file fixes the problem.

However, this does not work when side loading apps. When side loading, one has to create an LoopbackExemption exemption for AuthHost.exe

E.g., CheckNetIsolation LoopbackExempt -a -n="microsoft.windows.authhost_8wekyb3d8bbwe"

This appears to be the same problem as is documented here:

Understanding and debugging the web authentication broker workflow (XAML)

Note that setting: <preference name="adal-use-corporate-network" value="true" /> in cofig.xml does not resolve the issue. Instead, it results in the error "We received a bad request"

afourney avatar Nov 29 '16 18:11 afourney

I have same problem. @afourney were you able to resolve this issue?

nguyenjk avatar Jan 05 '17 18:01 nguyenjk

@nguyenjk No. I was not able to resolve this problem with this plugin. I ended up implementing the OAuth exchange myself using the InAppBrowser plugin and MSAL. (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-appmodel-v2-overview). Specifically: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-protocols-oauth-code

We use the Secure Storage plugin (https://github.com/Crypho/cordova-plugin-secure-storage) to store refresh tokens on the client since local storage in Javascript / Cordova is not secure.

afourney avatar Jan 05 '17 18:01 afourney

Our app had this issue for a long time before we added the sharedUserCertificates and privateNetworkClientServer capabilities, AND upgrading to 3.19.6. However, this seems to have been broken with 3.19.7. The app no longers authenticates when connected to our VPN, and we are receiving the following error again: "We can't connect to service right now. Check your internet connection or try this again later"

Reverting back to 3.19.6 corrects the issue.

JCpoz123 avatar Jul 23 '18 13:07 JCpoz123