[Bug] silent WIA fails on AAD seamless SSO with password hash synchronization

[mmctest888]

Logs and Network traces Without logs or traces, it is unlikely that the team can investigate your issue. Capturing logs and network traces is described at https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/logging

Which Version of MSAL are you using ? 4.24

Platform net 4.6.2

What authentication flow has the issue?

• Desktop / Mobile
  • [ ] Interactive
  • [x] Integrated Windows Auth
  • [ ] Username Password
  • [ ] Device code flow (browserless)
• Web App
  • [ ] Authorization code
  • [ ] OBO
• Daemon App
  • [ ] Service to Service calls

Other? - please describe;

Is this a new or existing app? c. This is a new app or experiment

Repro

app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())

Expected behavior it should not ask for the password. ON THE BROWSER (EDGE AND CHROME WORKS WELL BUT IN WINFORMS FAILS)

Actual behavior it asks for the password.

Possible Solution

you are using this request and waiting for a federated user... which is incorrect in the case when using seamless SSO with pass sync https://login.microsoftonline.com/common/userrealm/ss@xx.com?api-version=1.0

[jmprieur]

@mmctest888 : I'm a bit confused. You're writing that you are using IWA, but your repro is using AcquireTokenSilent only. Also what does it mean for AcquireTokenSilent to ask for a password?

Do you mean you wrote something like this?

try
{
 result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault());
}
catch(MsalUIRequiredException ex)
{
 result = await app.AcquireTokenByIntegratedWindowsAuth(scopes)
   .WithClaims(ex.Claims)
  .ExecuteAsyc()
}

Did you see the following sample: https://github.com/Azure-Samples/active-directory-dotnet-iwa-v2? Also what is the error? can you please enable logs? Would that be a conditional access exception (device auth or something?).

[mmctest888]

Thanks for the answer. I tried the new iwa=v2 example... I got new results, it seems that now my user is detected as federated ╰（‵□′）╯

however, I got this error

=== Request Data === Authority Provided? - True Client Id - f2c604ae-3771-ZZZZ-ZZZZ-03611ZZZZZZZ Scopes - User.Read User.ReadBasic.All Redirect Uri - urn:ietf:wg:oauth:2.0:oob Extra Query Params Keys (space separated) - ClaimsAndClientCapabilities - Authority - https://login.microsoftonline.com/organizations/ ApiId - AcquireTokenByIntegratedWindowsAuth IsConfidentialClient - False SendX5C - False LoginHint - IsBrokerConfigured - False HomeAccountId - CorrelationId - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf

(True) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:15:59 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] === Token Acquisition (IntegratedWindowsAuthRequest) started: Authority: https://login.microsoftonline.com/organizations/ Scope: User.Read User.ReadBasic.All ClientId: f2c604ae-3771-ZZZZ-ZZZZ-03611ZZZZZZZ

(False) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:15:59 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False. (True) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:15:59 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] Fetching instance discovery from the network from host login.microsoftonline.com. Endpoint https://login.microsoftonline.com/common/discovery/instance. (False) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:01 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. (False) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:01 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True. (False) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:01 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] Resolving authority endpoints... Already resolved? - FALSE (True) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:01 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] Logged in user detected with user name 'usertestad@myAAD-URL.online' (False) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:01 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] Sending request to userrealm endpoint. (True) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:01 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] User with user name 'usertestad@myAAD-URL.online' detected as 'Federated'. (True) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:04 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] MEX document fetched and parsed from 'https://autologon.microsoftazuread-sso.com/myAAD-URL.online/winauth/trust/mex?client-request-id=b5fd9154-16a3-ZZZZ-ZZZZ-ZZZZZZZZZZZZ' (True) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:04 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] WS-Trust endpoint 'https://autologon.microsoftazuread-sso.com/myAAD-URL.online/winauth/trust/2005/windowstransport?client-request-id=b5fd9154-16a3-ZZZZ-ZZZZ-ZZZZZZZZZZZZ' being used from MEX at 'https://autologon.microsoftazuread-sso.com/myAAD-URL.online/winauth/trust/mex?client-request-id=b5fd9154-16a3-ZZZZ-ZZZZ-ZZZZZZZZZZZZ' (True) MSAL 4.24.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [12/16/2020 02:16:05 - 6cf2f062-faba-ZZZZ-ZZZZ-baff48d0e3cf] MSAL.Desktop.4.24.0.0.MsalClientException:

 **ErrorCode: parsing_wstrust_response_failed**

Microsoft.Identity.Client.MsalClientException: An error occurred while sending the request. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The system cannot contact a domain controller to service the authentication request. Please try again later at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) at System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) at System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials) at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) at System.Net.HttpWebRequest.CheckResubmitForAuth() at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) --- End of inner exception stack trace --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Platforms.net45.Http.DnsSensitiveClientHandler.d2.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Net.Http.HttpClient.d58.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Http.HttpManager.d10.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Http.HttpManager.d8.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Http.HttpManager.d6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.d3.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.d6.MoveNext() --- End of inner exception stack trace --- at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.d6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.d5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.d4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest.d3.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Internal.Requests.RequestBase.d13.MoveNext() Inner Exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The system cannot contact a domain controller to service the authentication request. Please try again later at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) at System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) at System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials) at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) at System.Net.HttpWebRequest.CheckResubmitForAuth() at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) --- End of inner exception stack trace --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Platforms.net45.Http.DnsSensitiveClientHandler.d2.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Net.Http.HttpClient.d58.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Http.HttpManager.d10.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Http.HttpManager.d8.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Http.HttpManager.d6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.d3.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.d__6.MoveNext()

[mmctest888]

for some reason, this user hasn't updated the password hash...

thanks with this example is solved.