Open gladjohn opened 1 year ago
On a Windows Server 2016 machine, we see the follow error when invoking the new broker
Exception: Microsoft.Identity.Client.NativeInterop.MsalRuntimeException: Status: Unexpected
Context: Caught exception
Tag: 0x2039c1cd
And subsequent calls to the ATI, briefly displays the WAM UI or AAD picker and then auto dismisses, and we log this
Exception: MSAL.NetCore.4.51.0.0.MsalClientException:
ErrorCode: authentication_canceled
Microsoft.Identity.Client.MsalClientException: User canceled authentication.
On a different Win2016 Server, I see the following
Server info :
@MSamWils is there any data you want me to collect to troubleshoot this?
@gladjohn , thanks for testing it. Can you please enable MSALRuntime log for this issue? Exception: Microsoft.Identity.Client.NativeInterop.MsalRuntimeException: Status: Unexpected Context: Caught exception Tag: 0x2039c1cd
And also please collect fiddler trace for the prompt issue. Thanks.
@MSamWils shared all the info on chat. please let me know if you need more details
Adding notes so we know what works and what doesn't with WAM on Server 2016.
Authority | MSA-PT | ATS | ATI |
---|---|---|---|
lmo/org | False | - | Error : Parameter prompt is duplicated |
lmo/org | True | - | WAM UI shows up, upon selecting an account, Error : Missing wamcompat_id_token in WAM case |
lmo/common | False | - | WAM UI shows up, upon selecting an account, Error : Missing wamcompat_id_token in WAM case |
lmo/consumers | False | Works | Successfully gets a token |
lmo/tenant_id | False | - | Error : Parameter prompt is duplicated |
Note :- ATS was not tested when ATI did not work.
Other MSALRuntime specific features that work as expected:
Other features that do not work :
ROPC also throws the Missing wamcompat_id_token in WAM case
error
Just to add one more note, when we get the Error : Parameter prompt is duplicated
error, passing in a login_hint suppresses the error.
Some more notes based on investigation :
When you pass login hint then we bypass the accounts control logic and UI is then shown without the double prompt being passed error
bool launchAADWAMSelectAccount = noAccountPassed && noAccountHintPresent
&& !authParameters->GetAuthority()->HasConsumerRealm() && !authParameters->GetAuthority()->HasCommonRealm()
&& !IsConsumersPassthroughRequest;
RS1 AAD WAM adds prompt=login if force authentication flag is set. And in addition MSAL C++ adds prompt=select_account in account picker flows. hence the double prompt error
Finally, there are errors seen for token which could be related to the wamcompat_id issue
<?xml version="1.0" encoding="utf-8"?><Error><Code>BlobNotFound</Code><Message>The specified blob does not exist.
RequestId:31bba523-b01e-003c-4c17-94e27b000000
Time:2023-05-31T23:26:32.0136782Z</Message></Error>