AcquireTokenSilentAsync using Integrated authentication on Windows (Kerberos)

Bogdan Gavril edited this page Nov 22, 2018 · 15 revisions

Requirements

If your application runs on Windows (.NET Framework, UWP) on a machine which is either domain joined, or AAD joined and connected to the enterprise network (on premises, or through a VPN), it can benefit from another override of AcquireTokenSilent leveraging Windows Integrated Authentication (WIA). This uses Kerberos.

This method relies on an a protocol exposed by Active Directory (AD). If a user was created in Azure Active Directory without AD backing ("managed" user), this method will fail. Users created in AD and backed by AAD ("federated" users) can benefit from this non-interactive method of authentication.

Code

The code is really simple. You need to instantiate a UserCredential, and use the corresponding override of AcquireTokenAsync:

result = await context.AcquireTokenAsync(resource, clientId, new UserCredential());

Note that, sometimes, policies set by the administrators on machines do not enable the logged-in user to be looked-up. In that case you should use the constructor of ``UserCredential` passing the upn of the user as a parameter, instead of the default, parameterless constructor. This is also the case of users that are "Work And School" joined.

result = await context.AcquireTokenAsync(resource, clientId,
                                         new UserCredential("john@contoso.com"));

image

Note that this method is not available as part of the AuthenticationContext class, but as an AcquireTokenAsync extension method of the AuthenticationContextIntegratedAuthExtensions class. This extension method takes as a parameter, in addition to the resource and clientId of the public client application, an instance of UserCredential.

Samples illustrating the windows integrated authentication

Sample Description
active-directory-dotnet-native-headless A windows desktop program that demonstrates non-interactive authentication to Azure AD using a username & password and optionaly windows integrated authentication.
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.