-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSAL Error - Target Principal Name Incorrect with Federated IWA #2159
Comments
The 401 is strange. Are you behind a proxy? Could you try the exact same code from a .NET classic (not Core) application ? The way .NET handles the default proxy creds have changed between .NET Framework and ".NET" (i.e. .NET core). |
No proxy normally. Was behind Fiddler to capture the 401's, but that's only because I was getting the same error without it. I'll try and repro on .NET 4.X. |
With .NETFramework 4.7 I get a slightly different Exception Message:
But the same textual error code:
Stack:
I have the MSAL logging turned on, but it has PII in it so I can send it along separately if needed. |
Is the identity provider configured to output SAML 2.0 ? We have a bunch of issues in this area since there are just so many ways of outputting the SAML document. Also have a look at #2159 |
2159 is this issue... Here are the endpoints configured on the ADFS server: |
Apologies, I mean this issue: #2152 |
Is there any further debugging I can do to figure this out @bgavrilMS ? Should I check out the source and run the test project against that? |
@pseabury - did you try to open a support case on Microsoft? My team doesn't know that much about ADFS configuration. Generally this type of issue occurs when the SAML is not 2.0 format, but older version. @henrik-me @jmprieur - who else could help out here? CxP team maybe? (note that this is AAD & ADFS only) |
@maliksahil or @kalyankrishna1 : is it something you could help with? |
@bgavrilMS It looks like someone from the MSFT Identity team answered one of my questions related to this on SO. At least I'm on to the next step, thanks! |
This is a common known issue, see troubleshooting steps: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication Or better yet, use WAM https://aka.ms/msal-net-wam |
MSAL 4.22.0 via Microsoft.Identity.Client nuget
Platform
Net Core 3.1
What authentication flow has the issue?
Other? - please describe;
Is this a new or existing app?
Existing App - experiment to use AAD Federated Users from local ADFS and enable IWA for those users
-->
Repro
See https://stackoverflow.com/questions/64615805/msal-error-target-principal-name-incorrect-with-federated-iwa
Expected behavior
User signed in on local domain should be authenticated via IWA
Actual behavior
Microsoft.Identity.Client.MsalClientException: 'The target principal name is incorrect.'
Possible Solution
N/A - possibly provide more details on how to fix in the exception message itself.
Additional context/ Logs / Screenshots
See Previous link to screenshots etc.
Logs include PII and can be sent privately.
The text was updated successfully, but these errors were encountered: