We are developing a cross-platform mobile app using Xamarin.Forms that uses Azure Active Directory Authentication. For that case we use Microsoft.IdentityModel.Clients.ActiveDirectory nuget. It works fine with any case other than this one:
UWP user is trying to login with a corporate account while being connected to a network that hosts the ADFS - after typing user@domain the adal page tries to redirect to organization login page and fails with message - We can't connect to the service you need right now. Check your network connection or try this later.
The problem does not appear when we are running the app from Visual Studio. It only appears when the app is installed through .appx.
The problem does not appear when user is connected to other network - I have tried to log in while being connected to a HotSpot set on my Android phone and I successfully logged in.
The problem does not appear when user is connected to the corporate network, but logs in with account that is not in our ADFS.
The method we use to log in:
AuthenticationContext.AcquireTokenAsync(resource, clientId, RedirectUri, platformParameters)
We set parameter useCorporateNetwork for platformParameters to true, in project properties -> Package Manifest -> Capabilities, we set flags like Private Networks (Client & Server)
When trying to login without setting RedirectUri, then the corporate login page will appear and you will be able to type your password/login and have them validated, but it will be useless for us as we need to Redirect the login to our API - when logging in like that you will have error that specified redirectUri is other than configured for used clientId.
I have been trying different approaches like using native WebAuthenticationCoreManager, but it doesnt support RedirectUri (if it does and will work please write how!), setting Loopback Exempts for our app and AuthHost.exe (nothing changed).
I am happy to use anything that will work, it can be native UWP approach as we can use platform dependency.
EDIT
When I am trying to connect through VPN then when logging in I get the message - We can't connect to the service you need right now. Check your network connection or try this later. - even when I am running the app from visual studio.
As for trying to find the cause of the problem with Fiddler I was stunned - when I monitor the authhost.exe process with fiddler (I select the authentication popup window as target process) - then the authentication finishes successfully. The moment I stop monitoring with fiddler - it fails again.
Interesting that you got it working with Fiddler attached to AuthHost. In your troubleshooting have you tried the following options?
Enable capabilities in AppPackage manifest
Add loopback exemptions
CheckNetIsolation.exe LoopbackExempt -a -n=<YourPackageFamilyName>
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.a_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.a.p_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.sso_8wekyb3d8bbwe
CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.authhost.sso.p_8wekyb3d8bbwe
Enable private network for AuthHost
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\authhost.exe" /v EnablePrivateNetwork /t REG_DWORD /d 1 /f
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With