Sp-dev-docs: Login with SharePointOnlineCredentials fails if password contains a character reserved by XML

Created on 24 Jan 2020  路  10Comments  路  Source: SharePoint/sp-dev-docs

Category

  • [x] Bug

Describe the bug

Edit: I noticed that the error does not only occur for the five XML reserved characters, but also for other special characters.

Hello,
i have a problem when authenticating to SharePoint. The following code shows an authentication method you commonly find as an example for this task . It works fine for most accounts, but if the password contains a character that is reserved by XML (<>"'&) the log in fails. I tried to escape the characters in different ways, but this does not help because then the password is not recognized correctly. What is the right way to handle passwords with special characters when coding an SharePoint authentication method? 

using (ClientContext clientContext = new ClientContext("https://Test.sharepoint.com/sites/"))
            {
                var passWord = new SecureString();
                string passwrd = "Password&";

                string encodedXml = HttpUtility.HtmlEncode(passwrd);

                foreach (char c in encodedXml.ToCharArray())
                {
                    passWord.AppendChar(c);
                }

                clientContext.Credentials = new SharePointOnlineCredentials("[email protected]",passWord);

                Web web = clientContext.Web;
                Console.WriteLine(clientContext.Site);
                clientContext.Load(web);

                clientContext.ExecuteQuery();

                Console.WriteLine(web.Title);
                Console.ReadLine();
            }

Best regards,
Mira

Steps to reproduce

  1. Use above code example to log in with a SharePoint account whose password contains one of the following characters: " ' < > &

Expected behavior

Terminal should print the title of the page you logged into.

Developer environment

  • OS: Windows 10
  • Framework: .Net Framework version 4.8.03752
  • Browser(s): [Firefox 72.0.2
  • Tooling: Visual Studio Enterprise 2019 Version 16.4.2

Additional context

The problem does not only occur when using the microsoft.sharepoint library. We originally wrote the sharepoint authentication in delphi and here the same behavior appears.

Thanks for your contribution! Sharing is caring.

csorest answered question
Source
picture MiraLorenz
👍1

Most helpful comment

@MiraLorenz - I'm currently running code just like this and the passwords I use have special characters in them, including and & in one... it strikes me that maybe that's not your problem. Can you take the line out that's trying to encode your password and share the actual error message?

string password = "Password&";
SecureString sspassword = new SecureString();
foreach (char c in password)
{
    sspassword.AppendChar(c);
}
picture juliemturner on 24 Jan 2020
👍2

All 10 comments

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

msft-github-bot picture msft-github-bot on 24 Jan 2020

Issue here seems to be following line of code:

c# string encodedXml = HttpUtility.HtmlEncode(passwrd);

This will result your password not to be valid anymore as the characters are changed, so you will not be able to login. Just remove this step and you'll be good to go.

VesaJuvonen picture VesaJuvonen on 24 Jan 2020
👍1

@MiraLorenz - I'm currently running code just like this and the passwords I use have special characters in them, including and & in one... it strikes me that maybe that's not your problem. Can you take the line out that's trying to encode your password and share the actual error message?

string password = "Password&";
SecureString sspassword = new SecureString();
foreach (char c in password)
{
    sspassword.AppendChar(c);
}
juliemturner picture juliemturner on 24 Jan 2020
👍2

Issue here seems to be following line of code:

string encodedXml = HttpUtility.HtmlEncode(passwrd);

This will result your password not to be valid anymore as the characters are changed, so you will not be able to login. Just remove this step and you'll be good to go.

Unfortunately not. I initially used a login without escaping/encoding the password. And it worked just fine until someone tried to login with a password that contained the mentioned characters. This line was just a try to escape the characters, but as i stated above it is not working so i am looking for the right way to handle this characters.

MiraLorenz picture MiraLorenz on 24 Jan 2020

@MiraLorenz - I'm currently running code just like this and the passwords I use have special characters in them, including and & in one... it strikes me that maybe that's not your problem. Can you take the line out that's trying to encode your password and share the actual error message?

string password = "Password&";
SecureString sspassword = new SecureString();
foreach (char c in password)
{
    sspassword.AppendChar(c);
}

image
I took out the line that encoded the password. But this was not what caused the initial problem. It was just a try to fix it.
This is the error i get when i try to log in with a password that contains the mentioned characters.
But i also have the same issue if i use our Delphi code that uses a SAML/SOAP request. Here i get the following error
AADSTS90023: Invalid STS request.

What could be useful to know: If i use the web client of SharepPoint, i can normally login with the accounts, so they definitely work.

MiraLorenz picture MiraLorenz on 24 Jan 2020

Just to be super clear on the environment and versions. Which CSOM NuGet package version you are using AND just to confirm - you are trying to sign-in to the SharePoint Online - Correct?

XML special characters absolutely can be part of your password, so that's not the issue here.

VesaJuvonen picture VesaJuvonen on 24 Jan 2020

@VesaJuvonen Thank you for your quick reply. I am using version 16.1.19515.12000.
Yes i am signing-in to SharePoint online. The code does work if i use a password without one of this five characters.
I know that XML special characters are not prohibited by SharePoint. Using a password with them to login via the web client works just fine. That is why i am wondering why it is a problem using the code above and how i am getting it to work.

MiraLorenz picture MiraLorenz on 24 Jan 2020

Hello @MiraLorenz

a colleague of mine wrote a blog post about the error message you are getting "Identity Client Runtime Library (IDCRL) could not look up the realm information for a federated sign-in." Would you like to give his suggestions a try?

Link to the blog post

BTW, I tried to reproduce your code with a password like this k"m'?<0>3&L\s, but I did work for me.

JarbasHorst picture JarbasHorst on 24 Jan 2020

I found the Issue. In my Delphi code, characters reserved by XML need to be escaped escape the with the CDATA-tag. This just failed because i had a mistake in the domain part of the test account address i was using. So with fixing this error, the c# code also works as wanted.

Thank you all for your help :)

MiraLorenz picture MiraLorenz on 27 Jan 2020
👍1

Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues

msft-github-bot picture msft-github-bot on 3 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jonthenerd picture jonthenerd  路  3Comments
karishmaTCS picture karishmaTCS  路  3Comments
mikeparkie picture mikeparkie  路  3Comments
jonthenerd picture jonthenerd  路  3Comments
bengtmoss picture bengtmoss  路  3Comments