Adal.Js 1.0.15 Infinite login Redirect Issue in IE 11

[Ashokpraveeny]

Hi

I have an application which is developed using react and is hosted in azure AD. The app authenticates users through ADAL.js 1.0.15 version. When we tried to login the application using IE 11, the app does not show microsoft login page, instead it redirects between login.microsoftonline.com and our app infinitely.

When it redirects back to our app, the following error is appended in the url.

error=invalid_request&error_description=AADSTS90072 User+account+from+identity+provider+ thttps://sts.windows.net 27+does+not+exist+in+tenant+and+cannot+access+the+application+%27 +in+that+tenant.++The+account+needs+to+be+added+as+an+external+user+in+the+tenant+first.++Sign+out+and+sign+in+again+with+a+different+Azure+Active+Directory+user+account.%0d%0aTrace+ID+Correlation+ID%

The app works fine in InPrivate mode in IE. Chrome also redirects properly. SessionStorage is being used and redirectURI is proper.App url and authority url are added as trusted sites.

Code Snippet: Index.js #######

(window).AuthenticationContext = AuthContext;

let authContext = new AuthContext(adalConfig);

authContext.handleWindowCallback();

if(!authContext.isCallback(window.location.hash)) { if(!authContext.getCachedToken(adalConfig.clientId) || !authContext.getCachedUser()) { authContext.login(); } else { (window).authToken = authContext.getCachedToken(adalConfig.clientId); (window).authUser = authContext.getCachedUser(); // Rendering Home page here }

The same index.js page is invoked infinetly. The login.microsoftonline.com shows a response 302 with renewal token in the request header.

[Ashokpraveeny]

Further to this issue, we have observed that after logging out from all Azure accounts. This works fine. However, chrome handles this better (popping up login screen if the account is different).

[henrik-me]

hi @Ashokpraveeny : did you try upgrading to 1.0.17 (1.0.15 had some IE fixes as far as I can see which you should have). Not sure if that is needed just asking if you have tried it. CC: @manoj-rath

[nehaagrawal]

@Ashokpraveeny We have listed known issues on IE/Edge browser here https://github.com/AzureAD/azure-activedirectory-library-for-js/wiki/Known-issues-on-Edge. This looks like one of it. Can you please try the steps in the workaround section? For some IE versions, local storage has worked fine. Can you please try that? Also to avoid infinite loop, can you have some login in your app to break after few attempts? You can keep the count in cookie.

[jtabuloc]

We're having the same issue. Unfortunately, we can't use localStorage due to security reason. We want the session to end once the user close the browser so we preferred to use sessionStorage but we're having this infinite loop problem. After some debugging and observation we noticed that it gets my company domain account instead of the credential I inputted during login. I suspected (maybe) it's because my company is integrated to AAD seamless authentication that is why it doesn't honor what I key-in and it automatically grab my company profile. It only happened in IE11 both public and private mode. Is there any alternative with this? And based on the Known-issues-On-Edge mentioned above is there any timeline when this can be fixed? We really need this badly :(

[jtabuloc]

In addition of our case, why is it ADAL.js automatically sign me in using my company domain account? It doesn't even redirect me to login page. I used getCachedUser to display userName and I saw my profile. In some cases it allows me to choose credential but still it prioritize my company profile instead of the credential I inputted. This is the cause why we're having infinite loop login issue. I assumed this issue occur because my company network domain is integrated to AAD seamless authentication method? It only happened when we use the sessionStorage. Can someone confirm this?

Update: I think this is the case I found..

It says "Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components."

:(

[sameerag]

All current authentication work from microsoft is delivered through msal js library here. adal js is still supported only for security fixes. We would recommend to move to msal js for any advanced feature asks.