5
votes

We are developing a cross-platform mobile app using Xamarin.Forms that uses Azure Active Directory Authentication. For that case we use Microsoft.IdentityModel.Clients.ActiveDirectory nuget. It works fine with any case other than this one:

UWP user is trying to login with a corporate account while being connected to a network that hosts the ADFS - after typing user@domain the adal page tries to redirect to organization login page and fails with message - We can't connect to the service you need right now. Check your network connection or try this later.

  • The problem does not appear when we are running the app from Visual Studio. It only appears when the app is installed through .appx.

  • The problem does not appear when user is connected to other network - I have tried to log in while being connected to a HotSpot set on my Android phone and I successfully logged in.

  • The problem does not appear when user is connected to the corporate network, but logs in with account that is not in our ADFS.


The method we use to log in:

AuthenticationContext.AcquireTokenAsync(resource, clientId, RedirectUri, platformParameters)

We set parameter useCorporateNetwork for platformParameters to true, in project properties -> Package Manifest -> Capabilities, we set flags like Private Networks (Client & Server)

When trying to login without setting RedirectUri, then the corporate login page will appear and you will be able to type your password/login and have them validated, but it will be useless for us as we need to Redirect the login to our API - when logging in like that you will have error that specified redirectUri is other than configured for used clientId.

I have been trying different approaches like using native WebAuthenticationCoreManager, but it doesnt support RedirectUri (if it does and will work please write how!), setting Loopback Exempts for our app and AuthHost.exe (nothing changed).


I am happy to use anything that will work, it can be native UWP approach as we can use platform dependency.


EDIT

When I am trying to connect through VPN then when logging in I get the message - We can't connect to the service you need right now. Check your network connection or try this later. - even when I am running the app from visual studio.

As for trying to find the cause of the problem with Fiddler I was stunned - when I monitor the authhost.exe process with fiddler (I select the authentication popup window as target process) - then the authentication finishes successfully. The moment I stop monitoring with fiddler - it fails again.

2
Since you mentioned the Azure Active Directory authenticaiton, did you integrate your on-premise Active Directory with Azure Active Directory?Fei Xue - MSFT
As for the AAD I was responsible for just using it, not configuring, but as the app works on Android and iOS without a problem (even within the corporate network) then it should be all set up correctly on the AAD side, right?macchmie3
Azure Active Directory is different Active Directory, to understand correctly, I want to confirm with you whether you were using the Azure active directory or Active Directory. You can refer here about the Azure Active Directory.Fei Xue - MSFT
Yes, this is Azure Active Directory, talked to our Backend team, and double checked on Azure Portal.macchmie3
You should get a fiddler trace to see if there is a real connectivity problem.maweeras

2 Answers

5
votes

Interesting that you got it working with Fiddler attached to AuthHost. In your troubleshooting have you tried the following options?

Enable capabilities in AppPackage manifest

  • privateNetworkClientServer
  • enterpriseAuthentication
  • sharedUserCertificate

Add loopback exemptions

CheckNetIsolation.exe LoopbackExempt -a -n=<YourPackageFamilyName>
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.a_8wekyb3d8bbwe 
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.a.p_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.sso_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.sso.p_8wekyb3d8bbwe 

Enable private network for AuthHost

REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\authhost.exe" /v EnablePrivateNetwork  /t REG_DWORD /d 1 /f
0
votes

Not sure if it related but I was experiencing the same issue with a UWP app that was connecting to an azure mobile app back-end. In my case it involved corporate authentication (ADAL) along with a network proxy that was sitting in the middle. Besides the manifest permissions specified above; I also had to update the web.config on the server side to enable proxy authentication pass through. See the following link for more information.

<system.net> 
    <defaultProxy useDefaultCredentials="true" /> 
</system.net>`

Fix it so that .NET apps can access HTTP thru authenticating proxy server by default