microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Feature Request] Enable WAM on Windows Server 2016

Open gladjohn opened this issue 2 years ago • 5 comments

  • Remove the OS check for Windows 2016 and do not fall back to browser when WAM is enabled
  • test WAM on Windows Server 2016

gladjohn avatar May 23 '23 15:05 gladjohn

On a Windows Server 2016 machine, we see the follow error when invoking the new broker

Exception: Microsoft.Identity.Client.NativeInterop.MsalRuntimeException: Status: Unexpected
Context: Caught exception
Tag: 0x2039c1cd

And subsequent calls to the ATI, briefly displays the WAM UI or AAD picker and then auto dismisses, and we log this

Exception: MSAL.NetCore.4.51.0.0.MsalClientException: 
	ErrorCode: authentication_canceled
Microsoft.Identity.Client.MsalClientException: User canceled authentication.

On a different Win2016 Server, I see the following

image

Server info :

image

@MSamWils is there any data you want me to collect to troubleshoot this?

gladjohn avatar May 23 '23 22:05 gladjohn

@gladjohn , thanks for testing it. Can you please enable MSALRuntime log for this issue? Exception: Microsoft.Identity.Client.NativeInterop.MsalRuntimeException: Status: Unexpected Context: Caught exception Tag: 0x2039c1cd

And also please collect fiddler trace for the prompt issue. Thanks.

MSamWils avatar May 23 '23 23:05 MSamWils

@MSamWils shared all the info on chat. please let me know if you need more details

gladjohn avatar May 31 '23 23:05 gladjohn

Adding notes so we know what works and what doesn't with WAM on Server 2016.

Authority MSA-PT ATS ATI
lmo/org False - Error : Parameter prompt is duplicated
lmo/org True - WAM UI shows up, upon selecting an account, Error : Missing wamcompat_id_token in WAM case
lmo/common False - WAM UI shows up, upon selecting an account, Error : Missing wamcompat_id_token in WAM case
lmo/consumers False Works Successfully gets a token
lmo/tenant_id False - Error : Parameter prompt is duplicated

Note :- ATS was not tested when ATI did not work.

Other MSALRuntime specific features that work as expected:

  • Get OS accounts
  • POP token

Other features that do not work :

ROPC also throws the Missing wamcompat_id_token in WAM case error

Just to add one more note, when we get the Error : Parameter prompt is duplicated error, passing in a login_hint suppresses the error.

gladjohn avatar Jun 02 '23 17:06 gladjohn

Some more notes based on investigation :

  • When you pass login hint then we bypass the accounts control logic and UI is then shown without the double prompt being passed error
bool launchAADWAMSelectAccount = noAccountPassed && noAccountHintPresent
&& !authParameters->GetAuthority()->HasConsumerRealm() && !authParameters->GetAuthority()->HasCommonRealm()
&& !IsConsumersPassthroughRequest;

  • RS1 AAD WAM adds prompt=login if force authentication flag is set. And in addition MSAL C++ adds prompt=select_account in account picker flows. hence the double prompt error

  • Finally, there are errors seen for token which could be related to the wamcompat_id issue

<?xml version="1.0" encoding="utf-8"?><Error><Code>BlobNotFound</Code><Message>The specified blob does not exist.
RequestId:31bba523-b01e-003c-4c17-94e27b000000
Time:2023-05-31T23:26:32.0136782Z</Message></Error>

gladjohn avatar Jun 02 '23 17:06 gladjohn