microsoft-authentication-library-for-dotnet: [Bug] Windows integrated authentication Azure AD and WinForms, Integrated Windows Auth is not supported for managed users
Which Version of MSAL are you using ? MSAL 4.10
Platform .net 4.6.1
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Web API
- OBO
Other? - please describe;
Is this a new or existing app?
c. This is a new app or experiment
Repro
using:
authResult = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
and
authResult = await app.AcquireTokenByIntegratedWindowsAuth(scopes)
Get error: Integrated Windows Auth is not supported for managed users
using the method:
app.AcquireTokenInteractive
The application shows a prompt for the user to select what account wants to use (the prompt shows connected to windows) and I don’t need to enter the password, right after I click the user it sings in and gets the token.
After I get the token and it is saved using PublicClientApp.UserTokenCache
the next logins even if the token is expired I don’t need to select the account, the user sing in automatically. using the method app.AcquireTokenSilent
Expected behavior it should get the token without user interaction
Actual behavior methods returns:
Microsoft.Identity.Client.MsalClientException: Integrated Windows Auth is not supported for managed users. See https://aka.ms/msal-net-iwa for details.
at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest
Possible Solution
Additional context/ Logs / Screenshots I have tried 2 options (none worked):
- A user created in Windows AD and then synced to AAD
- A user created in AAD and then created in Windows AD
other info:
-
Treat application as a public client is marked yes in the app registration.
-
I used the same app registration with a web application (SPA) and using Microsoft Edge I can login without the user interaction, it signs in automatically
-
in azure AD -> Seamless single sign-on | Enabled | 1 domain
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 17 (11 by maintainers)
@jabbera nevermind. I have just confirmed that it indeed works 😃 I used the following example: https://github.com/Azure-Samples/active-directory-dotnet-iwa-v2
@bgavrilMS
Why doesn’t MSAL support Seamless SSO? I can be unfederated and login to SSMS with a password or any web page that supports Seamless SSO. This seems natural to support as part of the integrated workflow no?
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell#active-directory-integrated-authentication
If I remember correctly, enabling seamless SSO would make the user discovery call report back a “federated” user without federation. MSAL makes the following call (please replace with your own user):
https://login.microsoftonline.com/common/userrealm/bogavril@microsoft.com?api-version=1.0
If seamless SSO was not configured correctly, please open a case with support to get some help. I am not sure anybody on the SDK can help further.
@mike7ang1rdz this is not a MSAL issue. MSAL can only perform SSO if the user realm reports back the correct response. The environment needs to be configured properly for this to work with MSAL.
i believe this can help explain a little more https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start