ADAL.net fails to AcquireToken for Integrated Windows Auth when VPN with RasCredential is used

[trwalke]

Which Version of ADAL are you using ? Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.28.1.741, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Which platform has the issue? Windows 10, Net45

What authentication flow has the issue?

• Desktop / Mobile
  • [ ] Interactive
  • [x] Integrated Windows Auth
  • [ ] Username Password
  • [ ] Device code flow (browserless)
• Web App
  • [ ] Authorization code
  • [ ] OBO
• Web API
  • [ ] OBO

Other? - please describe;

Repro

When IWA scenario is used under a Windows VPN connection that adds a RasCredential to the Windows Credential Cache, ADAL.net appears to pick up the RasCredential instead of the default Windows Credential. This RasCredential does not have Multi-Factor Auth (MFA) and if MFA policy is enforced, the AcquireToken call would fail.

RAS = remote access service

Note that IWA in ADAL.net is a strictly non-interactive code path that does not allow for any further interactive prompts.

string authority = "...";
string resourceId = "...";
string applicationId = "...";
var cache = new TokenCache();
var authContext = new AuthenticationContext(authority, cache);
var token = authContext.AcquireToken(resourceId, applicationId, new UserCredential());

Device state from Dsregcmd /status:

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : <Redacted>

Expected behavior AcquireToken call under VPN should work without error.

Actual behavior AcquireToken call under VPN fails with "The user is required to use multi-factor authentication." error. The hypothesis is that the RasCredential does not appear to have MFA claims, and managed ADAL used the RasCredential instead the standard credential, leading to the MFA required error. If we remove the RasCredential from Windows Credential Cache after connecting using VPN, managed ADAL is able to AcquireToken successfully. ADAL.net works if user uses an alternative VPN solution which does not add additional credential to the Windows Credential Cache.

Possible Solution Figure out if this impacts other ADAL/MSAL libraries. Perhaps, ADAL needs to be smarter about which credential it picks.

Additional context/ Logs / Screenshots

This issue is documented on technet forums, and we have been able to repro. Impacts SSMS related client libs.

Additional logs: (available on request)

Rundll32.exe Information: 0 : 11/27/2018 14:51:27:  - AuthenticationContext: ADAL .NET with assembly version '2.28.1.741', file version '2.28.30726.1426' and informational version '98c53b8a9386f556c4187786cece386358b1c8e7' is running...
Rundll32.exe Information: 0 : 11/27/2018 14:51:27: 7a78b698-097b-477c-8a30-b0030d5b970d - AcquireTokenHandlerBase: === Token Acquisition started:
    Authority: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/
    Resource: https://southcentralus.asazure.windows.net
    ClientId: cf710c6e-dfcc-4fa8-a093-d47294e44c66
    CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (0 items)
    Authentication Target: User

Rundll32.exe Information: 0 : 11/27/2018 14:51:27: 7a78b698-097b-477c-8a30-b0030d5b970d - <PreRunAsync>d__0: Logged in user with hash 'O1/FE6NtsAbccCdcMryMf1EMnLp6AjG/1RFlliZJVOo=' detected
Rundll32.exe Information: 0 : 11/27/2018 14:51:27: 7a78b698-097b-477c-8a30-b0030d5b970d - TokenCache: Looking up cache for a token...
Rundll32.exe Information: 0 : 11/27/2018 14:51:27: 7a78b698-097b-477c-8a30-b0030d5b970d - TokenCache: No matching token was found in the cache
Rundll32.exe Information: 0 : 11/27/2018 14:51:27: 7a78b698-097b-477c-8a30-b0030d5b970d - <CreateByDiscoveryAsync>d__0: Sending user realm discovery request to 'https://login.windows.net/common/UserRealm/<redacted>@microsoft.com?api-version=1.0'
Rundll32.exe Information: 0 : 11/27/2018 14:51:28: 7a78b698-097b-477c-8a30-b0030d5b970d - <PreTokenRequest>d__4: User with hash 'O1/FE6NtsAbccCdcMryMf1EMnLp6AjG/1RFlliZJVOo=' detected as 'Federated'
Rundll32.exe Information: 0 : 11/27/2018 14:51:28: 7a78b698-097b-477c-8a30-b0030d5b970d - <PreTokenRequest>d__4: WS-Trust endpoint 'https://msft.sts.microsoft.com/adfs/services/trust/13/windowstransport' fetched from MEX at 'https://msft.sts.microsoft.com/adfs/services/trust/mex'
Rundll32.exe Information: 0 : 11/27/2018 14:51:28: 7a78b698-097b-477c-8a30-b0030d5b970d - <PreTokenRequest>d__4: Token of type 'urn:oasis:names:tc:SAML:1.0:assertion' acquired from WS-Trust endpoint
Rundll32.exe Error: 0 : 11/27/2018 14:51:29: 7a78b698-097b-477c-8a30-b0030d5b970d - <RunAsync>d__0: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50079: The user is required to use multi-factor authentication.
Trace ID: 8ba34faa-e2ac-4520-9510-d636db153101
Correlation ID: 7a78b698-097b-477c-8a30-b0030d5b970d
Timestamp: 2018-11-27 14:51:30Z ---> System.Net.WebException: The remote server returned an error: (400) Bad Request.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<SendHttpMessageAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<RunAsync>d__0.MoveNext()
    ErrorCode: interaction_required
    StatusCode: 400

Contact

Please contact me via internal Microsoft email. Thanks.

[henrik-me]

Closing this one as the original issue have not had any inputs from the bug opener for more than a year. If we are to address this we should explore further in MSAL