Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Issue with MSAL 4.16.0 library when using Integrated Windows Authentication #1988

Closed
1 of 7 tasks
hiteshdasikamw opened this issue Aug 13, 2020 · 10 comments
Closed
1 of 7 tasks

[Bug] Issue with MSAL 4.16.0 library when using Integrated Windows Authentication #1988

hiteshdasikamw opened this issue Aug 13, 2020 · 10 comments
Assignees
@bgavrilMS @trwalke
Labels
P1 regression Behavior that worked in a previous release that no longer works in a newer release
Projects
MSAL.NET (legacy)
Milestone
4.20.0

Comments

@hiteshdasikamw
Copy link

hiteshdasikamw commented Aug 13, 2020
edited
Loading

Which Version of MSAL are you using ?
MSAL 4.16.0

Platform
netcore

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Auth
    • Username Password
    • Device code flow (browserless)
  • Web App
    • Authorization code
    • OBO
  • Web API
    • OBO

Other? - please describe;

Is this a new or existing app?
c. This is a new app or experiment

Repro

            app = PublicClientApplicationBuilder.Create(clientId).WithTenantId(tenant).WithAuthority(authority).Build();
            try
            {
                Task<AuthenticationResult> result = app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername(username).ExecuteAsync();
                Console.Write(result.Result.AccessToken);
                Console.ReadLine();
            }
            catch (Exception exc)
            {
                Console.WriteLine(exc);
                MsalException x = exc.InnerException as MsalException;
                Console.WriteLine(x);
                MsalClientException ex = exc.InnerException as MsalClientException;
                Console.WriteLine(ex);
            }

The exception I get is shown below

Expected behavior
Expected to write access token onto the console.

Actual behavior
Below is the exception that occurs

System.AggregateException: One or more errors occurred. (Federated service at <Organization URL> returned error: ) ---> Microsoft.Identity.Client.MsalClientException: Federated service at <Organization URL> returned error:  ---> Microsoft.Identity.Client.MsalServiceException: Federated service at <Organization URL> returned error:
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.PerformWsTrustMexExchangeAsync(String federationMetadataUrl, String cloudAudienceUrn, UserAuthType userAuthType, String username, SecureString password)
   at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.FetchAssertionFromWsTrustAsync()
   at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenByIntegratedWindowsAuthParameters integratedWindowsAuthParameters, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at MSALTest.Program.Main(String[] args) in source\repos\MSALTest\MSALTest\Program.cs:line 40
---> (Inner Exception #0) MSAL.NetCore.4.16.0.0.MsalClientException:
        ErrorCode: parsing_wstrust_response_failed
Microsoft.Identity.Client.MsalClientException: Federated service at <Organization URL> returned error:  ---> Microsoft.Identity.Client.MsalServiceException: Federated service at <Organization URL> returned error:
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.PerformWsTrustMexExchangeAsync(String federationMetadataUrl, String cloudAudienceUrn, UserAuthType userAuthType, String username, SecureString password)
   at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.FetchAssertionFromWsTrustAsync()
   at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenByIntegratedWindowsAuthParameters integratedWindowsAuthParameters, CancellationToken cancellationToken)
Inner Excception: MSAL.NetCore.4.16.0.0.MsalServiceException:
        ErrorCode: federated_service_returned_error
Microsoft.Identity.Client.MsalServiceException: Federated service at <Organization URL> returned error:
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
        StatusCode: 401
        ResponseBody:
        Headers: Date: Mon, 10 Aug 2020 20:24:54 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
WWW-Authenticate: Negotiate
Set-Cookie: PF=QSEPNWjNTF0s1lakkLKluT;Path=/;Secure;HttpOnly;SameSite=None
Transfer-Encoding: chunked
<---

MSAL.NetCore.4.16.0.0.MsalClientException:
        ErrorCode: parsing_wstrust_response_failed
Microsoft.Identity.Client.MsalClientException: Federated service at <Organization URL> returned error:  ---> Microsoft.Identity.Client.MsalServiceException: Federated service at <Organization URL> returned error:
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.PerformWsTrustMexExchangeAsync(String federationMetadataUrl, String cloudAudienceUrn, UserAuthType userAuthType, String username, SecureString password)
   at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.FetchAssertionFromWsTrustAsync()
   at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenByIntegratedWindowsAuthParameters integratedWindowsAuthParameters, CancellationToken cancellationToken)
Inner Excception: MSAL.NetCore.4.16.0.0.MsalServiceException:
        ErrorCode: federated_service_returned_error
Microsoft.Identity.Client.MsalServiceException: Federated service at <Organization URL> returned error:
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
        StatusCode: 401
        ResponseBody:
        Headers: Date: Mon, 10 Aug 2020 20:24:54 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
WWW-Authenticate: Negotiate
Set-Cookie: PF=QSEPNWjNTF0s1lakkLKluT;Path=/;Secure;HttpOnly;SameSite=None
Transfer-Encoding: chunked

Additional context/ Logs / Screenshots
Point to note here is that when I use MSAL 4.15.0 or below version, it works fine. It only happens from MSAL 4.16.0 and above versions.
@bgavrilMS
Copy link
Member

I think you are using some sort of federation and the federated server is refusing the connection. Are you maybe behind a proxy that requires auth?


Federated service at <Organization URL> returned error:
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
        StatusCode: 401

It migth help to capture the traffic using Fiddler/

@bgavrilMS bgavrilMS added this to To do in Ongoing Support and OPS via automation Aug 13, 2020
@hiteshdasikamw
Copy link
Author

I am not behind any proxy actually. This works fine when I use MSAL 4.15.0. (The same code that I showed). I am trying to understand what is going wrong here.

@jabbera
Copy link
Contributor

jabbera commented Aug 13, 2020
edited
Loading

We started receiving this error randomly beginning around Saturday and we didn't change what was in production. Its the reason why I submitted PR #1984 so hopefully I can figure out what's going on. Not having the body is an issue. We are unfederated with Seamless SSO.

@bgavrilMS
Copy link
Member

@jabbera - we plan to release MSAL 4.18 end of next week, but I've built a preview package that has your change - see attached (I had to rename to zip, but it's a nupkg).

Microsoft.Identity.Client.4.18.0-preview1.nupkg.zip

@jabbera
Copy link
Contributor

jabbera commented Aug 14, 2020

Thanks!

@KrothuTheCoder
Copy link

I have had the same error with 4.17.1 when upgrading from 4.6.0 where the exact same code was working.

MSAL.NetCore.4.17.1.0.MsalClientException:
        ErrorCode: parsing_wstrust_response_failed
Microsoft.Identity.Client.MsalClientException: Federated service at https://<insert company dns>/adfs/services/trust/2005/windowstransport returned error:
 ---> MSAL.NetCore.4.17.1.0.MsalServiceException:
        ErrorCode: federated_service_returned_error
Microsoft.Identity.Client.MsalServiceException: Federated service at https://<insert company dns>/adfs/services/trust/2005/windowstransport returned error:
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
        StatusCode: 401
        ResponseBody:
        Headers: Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
Date: Mon, 17 Aug 2020 16:09:10 GMT

@moanrose
Copy link

moanrose commented Sep 1, 2020
edited
Loading

I am experiencing the same issue on MSAL 4.17.1

But I only see the issue on .NET core (3.1), if i run the exact same code on .NET framework (4.7.2) - it works as intended

If I downgrade MSAL to v. 4.15 the token acquisition works as intended

@trwalke trwalke self-assigned this Sep 3, 2020
@trwalke trwalke moved this from To do to To Do P1 in Ongoing Support and OPS Sep 3, 2020
@trwalke trwalke added this to Todo/Committed in MSAL.NET (legacy) via automation Sep 3, 2020
@trwalke trwalke removed this from To Do P1 in Ongoing Support and OPS Sep 3, 2020
@trwalke trwalke added P1 regression Behavior that worked in a previous release that no longer works in a newer release regression? and removed regression Behavior that worked in a previous release that no longer works in a newer release labels Sep 3, 2020
@trwalke trwalke moved this from Todo/Committed to In progress in MSAL.NET (legacy) Sep 9, 2020
@trwalke trwalke moved this from In progress to Blocked in MSAL.NET (legacy) Sep 11, 2020
@trwalke trwalke moved this from Blocked/Waiting for reply to In progress in MSAL.NET (legacy) Sep 14, 2020
@trwalke
Copy link
Member

trwalke commented Sep 14, 2020

Was able to reproduce. Investigating solution

@fstugren
Copy link

fstugren commented Sep 15, 2020
edited
Loading

I have noticed the same change in behavior for AcquireTokenByIntegratedWindowsAuth when switching from Microsoft.Identity.Client version 4.15.0 to any of the newer versions. 4.15.0 is the last package version where my code works with AcquireTokenByIntegratedWindowsAuth. Older versions work too. As soon as I switch to 4.16.0 up to 4.18.0 (most recent version at the time I write this) the parsing_wstrust_response_failed error is thrown. This is for an application on .Net Core 3.1.

@saephraim saephraim mentioned this issue Sep 16, 2020
Closed
6 tasks
@trwalke trwalke moved this from In progress to Blocked/Waiting for reply in MSAL.NET (legacy) Sep 17, 2020
@bgavrilMS
Copy link
Member

This is the root cause: dotnet/runtime#26397 i.e. UseDefaultCredentials is broken.

@bgavrilMS bgavrilMS self-assigned this Sep 30, 2020
@bgavrilMS bgavrilMS added regression Behavior that worked in a previous release that no longer works in a newer release and removed regression? labels Sep 30, 2020
bgavrilMS added a commit that referenced this issue Sep 30, 2020
@bgavrilMS
Revert to a simple static HttpClient on .netcore #1988
ae8d102
@trwalke trwalke moved this from Blocked/Waiting for reply to In progress in MSAL.NET (legacy) Sep 30, 2020
bgavrilMS added a commit that referenced this issue Sep 30, 2020
@bgavrilMS
Revert to a simple static HttpClient on .netcore #1988 (#2064)
1ba884d 
* Revert to a simple static HttpClient on .netcore #1988

* Add a comment
@bgavrilMS bgavrilMS moved this from In progress to Fixed in MSAL.NET (legacy) Oct 1, 2020
@bgavrilMS bgavrilMS added this to the 4.20.0 milestone Oct 1, 2020
@bgavrilMS bgavrilMS added the Fixed label Oct 6, 2020
@daniel-chambers daniel-chambers mentioned this issue Oct 20, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bgavrilMS bgavrilMS

@trwalke trwalke

Labels
P1 regression Behavior that worked in a previous release that no longer works in a newer release
Projects
No open projects
MSAL.NET (legacy)
  
Fixed
Milestone
4.20.0
Development

No branches or pull requests
7 participants
@jabbera @moanrose @bgavrilMS @trwalke @KrothuTheCoder @fstugren @hiteshdasikamw