Enterprise account failure

[tankztz]

After the registration process on Azure, I used my company email address (tianze.zhao@autodesk.com) to login. The app shows error message before I key in my password. I can login with the other enterprise account I have from other organizations.

[jmprieur]

@tankztz :

1. did you go through this step: Step 4 (Optional): Enable Windows Integrated Authentication when using a federated Azure AD tenant
2. if you did, would your organization be using ADFS? and is your ADFS server reachable?

[tankztz]

@jmprieur Thanks

1. I just went through the step 4 and tried again, but the error is still there.
2. I'm not sure about the configuration of our company accounts. How can I check?

btw, Is this means this sample is not available for accounts not using ADFS?

[jmprieur]

This should work with ADFS, @tankztz and also I see that apparently ADAL.NET does not even have a chance to get to the network which tells me it's more a configuration issue on the app side. If you app is purely for ADFS scenarios, you might want to try this instead: https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AcquireTokenSilentAsync-using-Integrated-authentication-on-Windows-(Kerberos) ?

[tankztz]

@jmprieur

My company account is implemented with LDAP which should be almost same scenario with ADFS, correct? My app should support all enterprise account if possible. The purpose of getting token is exploring the files from One Drive business.

I have tried another Azure sample app from you (https://github.com/Azure-Samples/active-directory-dotnet-native-uwp-wam) and I can use the same account to get a token. Is this means there exist some limitation with WebAuthenticationBroker?

[jmprieur]

Is your LDAP directory federated with Azure Active Directory, @tankztz. I believe that this is necessary.

[tankztz]

Thanks @jmprieur , I asked the team and im waiting for their answer.

My goal is to get the One Drive business files from any organization accounts. While this sample is not supporting the accounts not federated with AAD. Is this understanding correct?

[jmprieur]

Indeed, @tankztz, the sample uses ADAL.NET which does not support not federated IDPs (other than Active directory). Closing this for now since, I believe, you have the answer. Feel free to reopen if you wish

[tankztz]

@jmprieur According to our analytics, 50% organization accounts fail with this method. Could you suggest any other sample or method support all organization accounts?

[jmprieur]

@tankztz did you manage to understand what the failing accounts have special? would the federation use different versions of SAML?

[tankztz]

@jmprieur I am not able to find the special of failing accounts because we don't have enough failing accounts with different domain. According to what I know, all accounts with @autodesk.com will fail.

Thus I assume the failure is because of account settings from organization admin.