CODEWITHSUNDEEP
c#microsoft-information-protectionazure-information-protectionmip-sdk
Jan Martin
Jan Martin

Reputation: 309

MIP SDK and AD RMS error "MSIS9622: Client authentication failed"

I have followed the AD RMS and MIP SDK tutorials and have set up a environment with AD RMS, ADFS

Here are some snippets from my code:

var engineSettings = new FileEngineSettings("internal\\sysadmin", authDelegate, "", "en-US");
engineSettings.Identity = new Identity("internal\\sysadmin");
engineSettings.ProtectionCloudEndpointBaseUrl = "https://adrms.server.com";
engineSettings.ProtectionOnlyEngine = true;
var fileEngine = Task.Run(async () => await fileProfile.AddEngineAsync(engineSettings)).Result;

...snip...

var fileHandlerResult = Task.Run(async () => await fileHandler.CommitAsync(protectedFilePath)).Result;

At the CommitAsync line the user is redirected to the ADFS login page and they log in - they then get redirected to an "Authentication Failed" page which says:

Error details: error access_denied error_description: MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid.

Are there additional changes that need to be made to the MIP SDK samples to get them to work with ADFS? Here is a snippet from my AuthDelegateImplementation

public string AcquireToken(Identity identity, string authority, string resource, string claims)
        {
            _app = PublicClientApplicationBuilder.Create(_appInfo.ApplicationId)
                .WithAdfsAuthority("https://adfs.server.com/adfs/", false)
                .WithRedirectUri("http://localhost:50069")
                .Build();

            var accounts = _app.GetAccountsAsync().GetAwaiter().GetResult();

            // Append .default to the resource passed in to AcquireToken().
            string[] scopes = { resource[^1].Equals('/') ? $"{resource}.default" : $"{resource}/.default" };

            var result = _app.AcquireTokenInteractive(scopes)
                .WithAccount(accounts.FirstOrDefault())
                .WithPrompt(Prompt.SelectAccount)
                .ExecuteAsync()
                .ConfigureAwait(false)
                .GetAwaiter()
                .GetResult();

            return result.AccessToken;
        }

Upvotes: 1

Views: 5063

Answers (1)

Jan Martin
Jan Martin

Reputation: 309

I checked my AD FS event viewer logs and I saw that the user did not have permission to access the api.rms.rest.com relying party trust - fixed by editing the access control policy to permit everyone.

Upvotes: 1

Related Questions