Ofekw
commented
6 years ago This is blocking several of our deployments - any info would be really appreciated. Thanks!
Closed Ofekw closed 6 years ago
Ofekw
commented
6 years ago This is blocking several of our deployments - any info would be really appreciated. Thanks!
bgavrilMS
commented
6 years ago @Ofekw - Thank you for reporting this and apologies for not picking it up earlier. Would it be possible to collect some logs and send to me ? If you do not wish to post them here, please send me an email - bogavril@microsoft.com
It would also be helpful to include a Fiddler trace.
Ofekw
commented
6 years ago I'll get these to you next week. Cheers for following up!
bgavrilMS
commented
6 years ago Hi @Ofekw - thank you for sending more details. I had a look at the exception more thoroughly and I believe this is a deployment problem.
The exception you are getting is a TypeAccessException
Attempt by method
'Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions+<AcquireTokenAsync>d__0.MoveNext()' to access method 'Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenCommonAsync(System.String, System.String, Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential)' failed."This suggests that you are missing a DLL reference. The actual method is here:
A few ideas:
// This causes ADAL to use IWA
UserCredential userCredential = new UserCredential();
AuthenticationContext authenticationContext = new AuthenticationContext(authority);
var result = await authenticationContext.AcquireTokenAsync(resource, clientId, userCredential).ConfigureAwait(false);
return result.AccessToken;
More context to keep track of conversation:
My test script is obtaining the three dependencies directly from nuget:
<packages>
<package id="Microsoft.Azure.KeyVault" version="3.0.1" targetFramework="net461" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.1.0-preview" targetFramework="net461" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="4.3.0" targetFramework="net461" />
</packages>The problem arises because we have to reference Microsoft.IdentityModel.Clients.ActiveDirectory version 4+ in most of our solutions. However Microsoft.Azure.Services.AppAuthetnication references Microsoft.IdentityModel.Clients.ActiveDirectory 3.14.2 which still had the ActiveDirectory.Platforms.dll.
Now when we try and make auth calls with ActiveDirectory4.3 , we get:
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Could not load file or assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory.Platform, Version=3.14.2.11, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
Even with a binding redirect this fails because the Platforms namespace is now merged into ActiveDirectory.
The simple fix would be to update the Microsoft.IdentityModel.Clients.ActiveDirectory in Azure.Services.AppAuthentication.
PR to fix this issue: https://github.com/Azure/azure-sdk-for-net/pull/5007
jmprieur
commented
6 years ago Then this is expected indeed. ADAL.NET 4.x is not binary compatible with ADAL.NET 3.x (even if it's source compatible in 99.9..99% of the cases) Copied the Azure SDK owners. proposing to close this issue as this is not a problem with ADAL.NET
Ofekw
commented
6 years ago Why is this closed? It's not a problem with ADAL.NET but it is a problem with one of the libraries under the ADAL.NET sdk
jmprieur
commented
6 years ago @Ofekw : this is a problem with one of the libraries that uses ADAL.NET. you did the right thing by providing a PR for the Azure SDK. But as far as I'm concerned (ADAL.NET and MSAL.NET), I cannot approve it as don't own this SDK. I've contacted the SDK owners, though.
I can leave this issue open, but there is nothing that the ADAL.NET / MSAL.NET team can do. would you prefer me to re-open and track it? you probably want to raise it on the Azure SDK for .NET repo?
Ofekw
commented
6 years ago Ah I understand. Thanks for the context! Will follow up with the consuming library owners.
Thanks again.
Which Version of ADAL are you using ? Microsoft.IdentityModel.Clients.ActiveDirectory: 3.14.2 - 3.19.8 & ADAL 4.0.0-preview - 4.1.0-preview
Which platform has the issue? .net45
What authentication flow has the issue?
Repro
All our machines are domain joined and corpnet user/group identities are replicated to Azure AD under onmicrosoft.com directory.
We've been using this code:
to access KeyVault no problem with these packages:
However we recently had to update to "Microsoft.IdentityModel.Clients.ActiveDirectory" version="4.0.0-preview" and the authentication workflow we have been using stopped working (ActiveDirectory 4.1-preview also fails).
Expected behavior WindowsAuthenticationAzureServiceTokenProvider.GetTokenAsync(resource, authority) should return a token specifically:
Is always able to return a token on Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.14.2-3.19.8". This token can be used to fetch secrets from our KeyVault
Actual behavior When calling
using Microsoft.IdentityModel.Clients.ActiveDirectory 4+ an exception is thrown:
"Attempt by method 'Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions+<AcquireTokenAsync>d__0.MoveNext()' to access method 'Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenCommonAsync(System.String, System.String, Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential)' failed."Which propagates to:
"Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Attempt by method 'Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions+<AcquireTokenAsync>d__0.MoveNext()' to access method 'Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenCommonAsync(System.String, System.String, Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential)' failed."which is thrown by KeyVaultClient.cs