CODEWITHSUNDEEP
azureuwpfiddleradfsadal
macchmie3
macchmie3

Reputation: 51

ADAL page fails to load on UWP within corporate network when using ADFS

We are developing a cross-platform mobile app using Xamarin.Forms that uses Azure Active Directory Authentication. For that case we use Microsoft.IdentityModel.Clients.ActiveDirectory nuget. It works fine with any case other than this one:

UWP user is trying to login with a corporate account while being connected to a network that hosts the ADFS - after typing user@domain the adal page tries to redirect to organization login page and fails with message - We can't connect to the service you need right now. Check your network connection or try this later.

The method we use to log in:

AuthenticationContext.AcquireTokenAsync(resource, clientId, RedirectUri, platformParameters)

We set parameter useCorporateNetwork for platformParameters to true, in project properties -> Package Manifest -> Capabilities, we set flags like Private Networks (Client & Server)

When trying to login without setting RedirectUri, then the corporate login page will appear and you will be able to type your password/login and have them validated, but it will be useless for us as we need to Redirect the login to our API - when logging in like that you will have error that specified redirectUri is other than configured for used clientId.

I have been trying different approaches like using native WebAuthenticationCoreManager, but it doesnt support RedirectUri (if it does and will work please write how!), setting Loopback Exempts for our app and AuthHost.exe (nothing changed).

I am happy to use anything that will work, it can be native UWP approach as we can use platform dependency.

EDIT

When I am trying to connect through VPN then when logging in I get the message - We can't connect to the service you need right now. Check your network connection or try this later. - even when I am running the app from visual studio.

As for trying to find the cause of the problem with Fiddler I was stunned - when I monitor the authhost.exe process with fiddler (I select the authentication popup window as target process) - then the authentication finishes successfully. The moment I stop monitoring with fiddler - it fails again.

Upvotes: 5

Views: 1478

Answers (2)

ninja-ops
ninja-ops

Reputation: 1

Not sure if it related but I was experiencing the same issue with a UWP app that was connecting to an azure mobile app back-end. In my case it involved corporate authentication (ADAL) along with a network proxy that was sitting in the middle. Besides the manifest permissions specified above; I also had to update the web.config on the server side to enable proxy authentication pass through. See the following link for more information.

<system.net> 
    <defaultProxy useDefaultCredentials="true" /> 
</system.net>`

Fix it so that .NET apps can access HTTP thru authenticating proxy server by default

Upvotes: 0

user7793412
user7793412

Reputation: 51

Interesting that you got it working with Fiddler attached to AuthHost. In your troubleshooting have you tried the following options?

Enable capabilities in AppPackage manifest

  • privateNetworkClientServer
  • enterpriseAuthentication
  • sharedUserCertificate

Add loopback exemptions

CheckNetIsolation.exe LoopbackExempt -a -n=<YourPackageFamilyName>
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.a_8wekyb3d8bbwe 
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.a.p_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.sso_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.sso.p_8wekyb3d8bbwe

Enable private network for AuthHost

REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\authhost.exe" /v EnablePrivateNetwork  /t REG_DWORD /d 1 /f

Upvotes: 5

Related Questions