MSAL Error - Target Principal Name Incorrect with Federated IWA

[pseabury]

MSAL 4.22.0 via Microsoft.Identity.Client nuget

Platform
Net Core 3.1

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive
  • Integrated Windows Auth
  • Username Password
  • Device code flow (browserless)
• Web App
  • Authorization code
  • OBO
• Web API
  • OBO

Other? - please describe;

Is this a new or existing app?
Existing App - experiment to use AAD Federated Users from local ADFS and enable IWA for those users
-->

Repro
See https://stackoverflow.com/questions/64615805/msal-error-target-principal-name-incorrect-with-federated-iwa

Expected behavior
User signed in on local domain should be authenticated via IWA

Actual behavior
Microsoft.Identity.Client.MsalClientException: 'The target principal name is incorrect.'

Possible Solution
N/A - possibly provide more details on how to fix in the exception message itself.

Additional context/ Logs / Screenshots
See Previous link to screenshots etc.
Logs include PII and can be sent privately.

[bgavrilMS]

The 401 is strange. Are you behind a proxy?

Could you try the exact same code from a .NET classic (not Core) application ? The way .NET handles the default proxy creds have changed between .NET Framework and ".NET" (i.e. .NET core).

[pseabury]

The 401 is strange. Are you behind a proxy?

Could you try the exact same code from a .NET classic (not Core) application ? The way .NET handles the default proxy creds have changed between .NET Framework and ".NET" (i.e. .NET core).

No proxy normally. Was behind Fiddler to capture the 401's, but that's only because I was getting the same error without it. I'll try and repro on .NET 4.X.

[pseabury]

With .NETFramework 4.7 I get a slightly different Exception Message:

Microsoft.Identity.Client.MsalClientException: 'Federated service at https://adfs.ad.vandelay.local/adfs/services/trust/2005/windowstransport returned error:'

But the same textual error code:

parsing_wstrust_response_failed

Stack:

at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.d__6.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.d__4.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.d__3.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__13.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.d__4.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at TestMSAL.Program.GetToken2() in C:\Temp\TestMSAL_Net47\Program.cs:line 62 at TestMSAL.Program.<>c.<Main>b__5_2(Context ctx) in C:\Temp\TestMSAL_Net47\Program.cs:line 53 at Polly.Policy.<>c__DisplayClass116_01.b__0(Context ctx, CancellationToken ct)
at Polly.Retry.RetryEngine.Implementation[TResult](Func3 action, Context context, CancellationToken cancellationToken, ExceptionPredicates shouldRetryExceptionPredicates, ResultPredicates1 shouldRetryResultPredicates, Action4 onRetry, Int32 permittedRetryCount, IEnumerable1 sleepDurationsEnumerable, Func`4 sleepDurationProvider)

I have the MSAL logging turned on, but it has PII in it so I can send it along separately if needed.

[bgavrilMS]

Is the identity provider configured to output SAML 2.0 ? We have a bunch of issues in this area since there are just so many ways of outputting the SAML document.

Also have a look at #2159

[pseabury]

Is the identity provider configured to output SAML 2.0 ? We have a bunch of issues in this area since there are just so many ways of outputting the SAML document.

Also have a look at #2159

2159 is this issue...

Here are the endpoints configured on the ADFS server:

[bgavrilMS]

Apologies, I mean this issue: #2152

[pseabury]

Apologies, I mean this issue: #2152

I don't think #2152 applies because I am importing from ADFS, not a 3rd party. Only IdP's in my scenario are AAD, and ADFS.

[pseabury]

Is there any further debugging I can do to figure this out @bgavrilMS ? Should I check out the source and run the test project against that?

[bgavrilMS]

@pseabury - did you try to open a support case on Microsoft? My team doesn't know that much about ADFS configuration. Generally this type of issue occurs when the SAML is not 2.0 format, but older version.

@henrik-me @jmprieur - who else could help out here? CxP team maybe? (note that this is AAD & ADFS only)

[jmprieur]

@maliksahil or @kalyankrishna1 : is it something you could help with?

[pseabury]

@bgavrilMS It looks like someone from the MSFT Identity team answered one of my questions related to this on SO. At least I'm on to the next step, thanks!

https://stackoverflow.com/questions/64615805/msal-error-target-principal-name-incorrect-with-federated-iwa/64713590#64713590

[bgavrilMS]

This is a common known issue, see troubleshooting steps: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication

Or better yet, use WAM https://aka.ms/msal-net-wam