gladjohn
commented
1 year ago - Remove the OS check for Windows 2016 and do not fall back to browser when WAM is enabled
- test WAM on Windows Server 2016
Open gladjohn opened 1 year ago
gladjohn
commented
1 year ago gladjohn
commented
1 year ago On a Windows Server 2016 machine, we see the follow error when invoking the new broker
Exception: Microsoft.Identity.Client.NativeInterop.MsalRuntimeException: Status: Unexpected
Context: Caught exception
Tag: 0x2039c1cdAnd subsequent calls to the ATI, briefly displays the WAM UI or AAD picker and then auto dismisses, and we log this
Exception: MSAL.NetCore.4.51.0.0.MsalClientException:
ErrorCode: authentication_canceled
Microsoft.Identity.Client.MsalClientException: User canceled authentication. On a different Win2016 Server, I see the following
Server info :
@MSamWils is there any data you want me to collect to troubleshoot this?
MSamWils
commented
1 year ago @gladjohn , thanks for testing it. Can you please enable MSALRuntime log for this issue? Exception: Microsoft.Identity.Client.NativeInterop.MsalRuntimeException: Status: Unexpected Context: Caught exception Tag: 0x2039c1cd
And also please collect fiddler trace for the prompt issue. Thanks.
gladjohn
commented
1 year ago @MSamWils shared all the info on chat. please let me know if you need more details
gladjohn
commented
1 year ago Adding notes so we know what works and what doesn't with WAM on Server 2016.
| Authority | MSA-PT | ATS | ATI |
|---|---|---|---|
| lmo/org | False | - | Error : Parameter prompt is duplicated |
| lmo/org | True | - | WAM UI shows up, upon selecting an account, Error : Missing wamcompat_id_token in WAM case |
| lmo/common | False | - | WAM UI shows up, upon selecting an account, Error : Missing wamcompat_id_token in WAM case |
| lmo/consumers | False | Works | Successfully gets a token |
| lmo/tenant_id | False | - | Error : Parameter prompt is duplicated |
Note :- ATS was not tested when ATI did not work.
Other MSALRuntime specific features that work as expected:
Other features that do not work :
ROPC also throws the Missing wamcompat_id_token in WAM case error
Just to add one more note, when we get the Error : Parameter prompt is duplicated error, passing in a login_hint suppresses the error.
gladjohn
commented
1 year ago Some more notes based on investigation :
When you pass login hint then we bypass the accounts control logic and UI is then shown without the double prompt being passed error
bool launchAADWAMSelectAccount = noAccountPassed && noAccountHintPresent
&& !authParameters->GetAuthority()->HasConsumerRealm() && !authParameters->GetAuthority()->HasCommonRealm()
&& !IsConsumersPassthroughRequest;RS1 AAD WAM adds prompt=login if force authentication flag is set. And in addition MSAL C++ adds prompt=select_account in account picker flows. hence the double prompt error
Finally, there are errors seen for token which could be related to the wamcompat_id issue
<?xml version="1.0" encoding="utf-8"?><Error><Code>BlobNotFound</Code><Message>The specified blob does not exist.
RequestId:31bba523-b01e-003c-4c17-94e27b000000
Time:2023-05-31T23:26:32.0136782Z</Message></Error>