ADFS ADAL current user windows service

Question

I’m trying to authenticate a Windows Service (so non interactive) against an (ASP.net) Web API, using ADFS 3.0 and the current user’s credentials.

Is this possible, and if so is the approach below correct?

When running as a console app I can successfully get (JWT) tokens using the AcquireTokenAsync overloads that display a login screen, which then automatically logins in as the current user and disappears without interaction. That obviously isn't appropriate for a Windows Service though (and throws an error about displaying UI in non interactive mode).

We get the following error in the ADFS servers Windows Log:

Encountered error during federation passive request.

Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/token to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

This is from a POST to /adfs/oauth2/token HTTP/1.1:

resource=https%3A%2F%2Fadfs-server%2Fapi_name&client_id=983EB4F7-A4D1-4897-A2BD-5D6C268A5813&scope=opened

Which results in an HTML document saying an error has occurred.

Generated by the following code:

var authenticationContext = new AuthenticationContext("https://adfs-server/adfs", validateAuthority: false); //validate authority can only be true with Azure AD
var tokenResult = await authenticationContext.AcquireTokenAsync("https://adfs-server/api_name", "983EB4F7-A4D1-4897-A2BD-5D6C268A5813", new UserCredential()); //use current login -- this line fails
request.Headers.Add("Authorization", tokenResult.CreateAuthorizationHeader());

The versions we are using are:

• ADAL.net (Microsoft.IdentityModel.Clients.ActiveDirectory) 3.13.9
• ADFS 3.0 (Windows Server 2012 R2)
• .net Framework 4.6.2
• Windows 10 (Creators Update - 1703)

Answer 1

ADFS 3.0 only supports Authorisation Code Grant with web API as per this article.

Have a look at that and post any questions.