Authenticate with ADFS inside Console App silently

Question

I have a c# console application that references the ADAL.net library (Microsoft.IdentityModel.Clients.ActiveDirectory version 2.19.208020213)

The purpose of the console app is to consume a HTTP endpoint which is protected with ADFS.

The implementation of the ADFS auth is as follows....

var uc = new UserCredential("user", "password");
var ctx = new AuthenticationContext("https://sts.example.com/adfs", false);
var token = ctx.AcquireToken(ClientResourceUri, ClientId, uc);

The call to AcquireToken throws an exception...

This method overload is not supported by 'https://sts.example.com/adfs/'

Calling AcquireToken without the UserCredential object, and instead providing a redirectUri works, but throws up a dialog prompting for username and password, which is unsuitable as the console app will be executed in a non user environment...

var redirect = new Uri("https://example.com/arbitaryRedirect");
var token = ctx.AcquireToken(ClientResourceUri, ClientId, redirect);
//dialog is shown

If i switch to the latest alpha release of the adal.net library (3.6.212041202-alpha) the error is more revealing...

MSIS9611: The authorization server does not support the requested 'grant_type'. The authorization server only supports 'authorization_code' or 'refresh_token' as the grant type.

However, mining google yields very little.

Is it actually possible to authenticate silently against ADFS?

Would i be correct in assuming (based upon answers in other posts) that the correct approach is to use WsTrustChannelFactory instead?

If not, what is the best approach?

Answer 1

It is possible using ADAL 3.x and ADFS in Windows Server 2016, with pretty much the same code you posted. Combinations of older versions of either ADAL or ADFS won't work. Alternatively, you can use WS-Trust - which is significantly harder to handle, but can get the job done.