microsoft-authentication-library-for-dotnet: [Bug] Windows integrated authentication Azure AD and WinForms, Integrated Windows Auth is not supported for managed users

Which Version of MSAL are you using ? MSAL 4.10

Platform .net 4.6.1

What authentication flow has the issue?

Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
Web App
- Authorization code
- OBO
Web API
- OBO

Other? - please describe;

Is this a new or existing app?

c. This is a new app or experiment

Repro

using: authResult = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault()) and authResult = await app.AcquireTokenByIntegratedWindowsAuth(scopes)

Get error: Integrated Windows Auth is not supported for managed users

using the method:

app.AcquireTokenInteractive The application shows a prompt for the user to select what account wants to use (the prompt shows connected to windows) and I don’t need to enter the password, right after I click the user it sings in and gets the token. After I get the token and it is saved using PublicClientApp.UserTokenCache the next logins even if the token is expired I don’t need to select the account, the user sing in automatically. using the method app.AcquireTokenSilent

Expected behavior it should get the token without user interaction

Actual behavior methods returns:

Microsoft.Identity.Client.MsalClientException: Integrated Windows Auth is not supported for managed users. See https://aka.ms/msal-net-iwa for details.

at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest

Possible Solution

Additional context/ Logs / Screenshots I have tried 2 options (none worked):

A user created in Windows AD and then synced to AAD
A user created in AAD and then created in Windows AD

other info:

Treat application as a public client is marked yes in the app registration.
I used the same app registration with a web application (SPA) and using Microsoft Edge I can login without the user interaction, it signs in automatically
in azure AD -> Seamless single sign-on | Enabled | 1 domain

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 17 (11 by maintainers)

Most upvoted comments

@jabbera nevermind. I have just confirmed that it indeed works 😃 I used the following example: https://github.com/Azure-Samples/active-directory-dotnet-iwa-v2

robsoncloud on Sep 7, 2021

@bgavrilMS

You must configure AD to be federated.

Why doesn’t MSAL support Seamless SSO? I can be unfederated and login to SSMS with a password or any web page that supports Seamless SSO. This seems natural to support as part of the integrated workflow no?

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell#active-directory-integrated-authentication

jabbera on May 14, 2020

If I remember correctly, enabling seamless SSO would make the user discovery call report back a “federated” user without federation. MSAL makes the following call (please replace with your own user):

https://login.microsoftonline.com/common/userrealm/bogavril@microsoft.com?api-version=1.0

If seamless SSO was not configured correctly, please open a case with support to get some help. I am not sure anybody on the SDK can help further.

bgavrilMS on May 27, 2020

@mike7ang1rdz this is not a MSAL issue. MSAL can only perform SSO if the user realm reports back the correct response. The environment needs to be configured properly for this to work with MSAL.

i believe this can help explain a little more https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

trwalke on May 20, 2020