Microsoft-authentication-library-for-dotnet: [Bug] MSAL does not work on UWP once distributed

Created on 15 Oct 2019 · 4Comments · Source: AzureAD/microsoft-authentication-library-for-dotnet

Which Version of MSAL are you using ?
Note that to get help, you need to run the latest version. Preview version are also ok.
For ADAL, please log issues to https://github.com/AzureAD/azure-activedirectory-library-for-dotnet

MSAL 4.4.0
Platform

UWP

What authentication flow has the issue?

Desktop / Mobile
- [x] Interactive
- [ ] Integrated Windows Auth
- [ ] Username Password
- [ ] Device code flow (browserless)
Web App
- [ ] Authorization code
- [ ] OBO
Web API
- [ ] OBO

Other? - please describe;

Is this a new or existing app?

This is a new experiment app that has been published. It works when running from visual studio, but not after it's published.

Repro

 string[] scopes = { "User.Read"};

            IPublicClientApplication app = PublicClientApplicationBuilder
                .Create(ClientId)
                .WithAuthority(authority)
                .Build();
            try
            {

                var result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
                await new MessageDialog(result.AccessToken, "Token").ShowAsync();
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
                await new MessageDialog(e.ToString(), "Error").ShowAsync();
            }

Expected behavior
I expect the sign in screen to show up to allow me to sign in, which works when debugging with visual studio. However, it does not work once the app is published. Additionally, this code works just fine on wpf

Actual behavior
After entering in my email, I get this error:

Additional context/ Logs / Screenshots
This code works just fine on all other platforms, such as Android, WPF, and IOS. It works if you are outside of our internal network, such as at home. It works if you are running fiddler as it turns on a proxy. We have worked with Microsoft and ensured that our network is setup correctly. It only stops working once UWP is distributed and it is on our internal network.

Logs

Here are the logs I got from using the with logging option

Expected Behavior (Ran from visual studio)

Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:34 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) MSAL MSAL.UAP with assembly version '4.4.0.0'. CorrelationId(3c8ec8c7-9a88-437a-892a-7a72827e5f76)
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:34 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False

Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:34 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False

Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:34 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False
Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:35 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True
Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:35 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:35 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Resolving authority endpoints... Already resolved? - FALSE
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Based on auth code received from STS, broker invocation is not required.
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Checking client info returned from the server..
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Saving Token Response to cache..
Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True
Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) [Instance Discovery] The network provider found an entry for login.microsoftonline.com
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Looking for scopes for the authority in the cache which intersect with User.Read
Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Intersecting scopes found - DeviceManagementApps.Read.All DeviceManagementApps.ReadWrite.All Directory.AccessAsUser.All Directory.Read.All email Files.Read.Selected Files.ReadWrite Files.ReadWrite.All Files.ReadWrite.AppFolder Files.ReadWrite.Selected Group.Read.All Group.ReadWrite.All Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All openid People.Read profile Sites.Read.All Sites.ReadWrite.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Intersecting scope entries count - 1
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Matching entries after filtering by user - 1
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) Saving RT in cache...
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55] (UnknownClient: 0.0.0.0) Deserialized 1 items to token cache.
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:55] (UnknownClient: 0.0.0.0) Serializing token cache with 1 items.
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:14:56 - 3c8ec8c7-9a88-437a-892a-7a72827e5f76] (UnknownClient: 0.0.0.0) === Token Acquisition finished successfully. An access token was returned with Expiration Time: 10/15/2019 15:14:54 +00:00 ===

Actual Behavior When distributed

Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:18:54 - cb80ce10-11cf-419d-bb01-085247697b36] (UnknownClient: 0.0.0.0) MSAL MSAL.UAP with assembly version '4.4.0.0'. CorrelationId(cb80ce10-11cf-419d-bb01-085247697b36)
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:18:54 - cb80ce10-11cf-419d-bb01-085247697b36] (UnknownClient: 0.0.0.0) === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False

Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:18:54 - cb80ce10-11cf-419d-bb01-085247697b36] (UnknownClient: 0.0.0.0) === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False

Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:18:54 - cb80ce10-11cf-419d-bb01-085247697b36] (UnknownClient: 0.0.0.0) [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False
Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:18:55 - cb80ce10-11cf-419d-bb01-085247697b36] (UnknownClient: 0.0.0.0) [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True
Verbose: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:18:55 - cb80ce10-11cf-419d-bb01-085247697b36] (UnknownClient: 0.0.0.0) [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True
Info: (False) MSAL 4.4.0.0 MSAL.UAP N/A [10/15/2019 14:18:55 - cb80ce10-11cf-419d-bb01-085247697b36] (UnknownClient: 0.0.0.0) Resolving authority endpoints... Already resolved? - FALSE

question Mobile-UWP

Source

chrisevans9629

All 4 comments

Hi @chrisevans9629, did you follow the steps we have outlined in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/UWP-specifics ? Also the page links to a few samples which will tell you more on how to setup your application.

henrik-me on 16 Oct 2019

Running the command below seemed to have fixed the issue, along with enabling use corporate network. Is this something that we'll have to turn on on every computer?
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\authhost.exe" /v EnablePrivateNetwork /t REG_DWORD /d 1 /f

chrisevans9629 on 16 Oct 2019

It seems like in some enterprises they have this value off. So far we have found this to be the approach but enterprises might be able to push this setting via group policies.

A similar issue was reported some time back for ADAL.
https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/1032

henrik-me on 16 Oct 2019

👍1

I added a policy in group policy to set this registry value. We've had this issue for awhile actually and just have been setting a proxy as a work around. Glad to get this fixed.

chrisevans9629 on 16 Oct 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings