Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
AcquireTokenSilentAsync using Integrated authentication on Windows (Kerberos)
If your application runs on Windows (.NET Framework, UWP) on a machine which is either domain joined, or AAD joined and connected to the enterprise network (on premises, or through a VPN), it can benefit from another override of
AcquireTokenSilent leveraging Windows Integrated Authentication (WIA). This uses Kerberos.
This method relies on an a protocol exposed by Active Directory (AD). If a user was created in Azure Active Directory without AD backing ("managed" user), this method will fail. Users created in AD and backed by AAD ("federated" users) can benefit from this non-interactive method of authentication.
The code is really simple. You need to instantiate a
UserCredential, and use the corresponding override of
result = await context.AcquireTokenAsync(resource, clientId, new UserCredential());
Note that, sometimes, policies set by the administrators on machines do not enable the logged-in user to be looked-up. In that case you should use the constructor of ``UserCredential` passing the upn of the user as a parameter, instead of the default, parameterless constructor. This is also the case of users that are "Work And School" joined.
result = await context.AcquireTokenAsync(resource, clientId, new UserCredential("email@example.com"));
Note that this method is not available as part of the
AuthenticationContextclass, but as an
AcquireTokenAsyncextension method of the
AuthenticationContextIntegratedAuthExtensionsclass. This extension method takes as a parameter, in addition to the resource and clientId of the public client application, an instance of
Samples illustrating the windows integrated authentication
|active-directory-dotnet-native-headless||A windows desktop program that demonstrates non-interactive authentication to Azure AD using a username & password and optionaly windows integrated authentication.|