UWP authentication sometimes crashes #1098
Comments
|
Still hitting this issue, just received a report with this stack trace. Any updates to this? |
|
Hi @tipa - any chance you could list the capabilities for you app? Also, is the stack trace identical to the one posted by the OP? Google translates is as "The process ended unexpectedly" - this may be a bug in WAB / calling WAB. |
|
I am currently using these capabilites: I am actually not sure any more where I took the stack trace from in my first post, but I checked my mails for previous stack traces and found these: |
|
Any updates on this? Is the capability "internetClient" the only one that's needed? Even when logging in to a OneDrive for Business Account? |
|
I do believe that InternetClient is the only one needed. the other 3 "enterprisey" ones are used in Integrated Windows Authentication (i.e. Kerberos) to figure out the currently logged in user. MSAL does not have any special code paths related to resources / scopes - there is nothing different in accessing OneDrive versus accessing Graph. |
|
For the reports you keep getting, can you confirm if the problem is transient or not? Does reopening the app allow users to re-login? |
I asked my users that encountered the issue and one responded that he kept getting the error permanently, even after restart of the app and PC |
bgavrilMS
changed the title
|
Will treat this as a bug. MSAL delegates the auth part of the WAB component (Windows Authentication Broker). |
|
@tipa : I think you read the readme for this sample: https://github.com/azure-samples/active-directory-xamarin-native-v2#UWP-specific-considerations, but checking in case? |
|
No I'm not using the |
|
Hi @tipa I've followed this up with the folks who own this component. Firstly, they confirmed that the capabilities used are as you described Second, the need more information around the error, i.e. WAB logs. They have pointed at: https://docs.microsoft.com/en-us/windows/win32/secauthn/web-authentication-problems |
|
Provide an exception that says that it looks the file is corrupted (apparently that happens to DPAPI files?), and provide the API so that the app deletes it if it wants.
or just delete the file. Make sure we have enough logging, and also let the app dev know through an exception. The exception should have all the information about the fact that the file was deleted and recreated because corrupted (#supportablity) |
|
@tipa : yes, I think they probably have the same root cause. @bgavrilMS do you confirm? |
|
No, this is not the same root cause. There are 2 root causes identified by @tipa :
I plan to tackle the first one by automatically deleting the token cache file, which will result in the user having to re-authenticate (better than uninstalling the app). For the second issue, I am following up with the WAB team to see if a retry mechanism would help. |
|
I added a retry when calling WAB and some information on how to collect logs if this occurs again. It's not a fix per se, but hopefully it will bring us closer to a solution. |
|
@tipa @bratsche This is included in the 4.5.0 release. |
I now had the case that a user ran into the same problem and he also was able to gather the logs as described in the article linked in the error message. Is there a way I can share the logs with you? I'd prefer not to upload them to Github. |
|
@tipa ; you can send them to me: Jean-Marc dot Prieur at microsoft.com |
|
Sure, I've just sent them |
|
We are seeing a similar issue on an end-user system. (cc @kevcrooks) Microsoft.Identity.Client 4.11.0 Expected behaviour: the AcquireTokenInteractive box should appear after the ExecuteAsync() method is called, for the user to log in Actual behaviour: The box does not appear, and an exception is thrown: Is this the same issue or shall I post a new issue @jmprieur ? Is there no way to get WAB to report a useful exception? |
|
@charlesroddie - please log a separate issue |
|
@bgavrilMS done #1782 |
|
@tipa - it looks like the WAB error is because it cannot reach the ping-sso url AuthHost encountered a navigation error at URL: <https://ping-sso.schneider-electric.com/idp/eyJ2c2lkIjoic2UuY29tIn0=/prp.wsf?client-request-id=c07c1ec......... HR_INET_E_RESOURCE_NOT_FOUND A few thoughts:
|
|
Thanks for looking into it. This was quite an old log, once I have another user who is experiencing this and willing to collect the (PII) logs, I send them in. |
Which Version of MSAL are you using ?
MSAL 3.0.5-preview
Platform
UWP
In my UWP app, I only had internetClient capability enabled and it works ok for most users. However, some of my users get an error like
{Microsoft.Identity.Client.MsalException: WAB authentication failed ---> System.IO.FileNotFoundException: The specified protocol is unknown. (Exception from HRESULT: 0x800C000D) at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) ...(TRUNCATION)... --- End of stack trace from previous location where exception was thrown --- at UserDetailsClient.MainPage.d__2.MoveNext() ErrorCode: authentication_ui_failed}Therefore I investigated about what could be the problem and found out it could be related to the app capabilites.
Could you please clarify regarding the capabilites needed for UWP.
Here, @jennyf19 states these 4 capabilities are needed:
However, in this example, these 4 capabilities are listed (sharedUserCertificates instead of userAccountInformation):
Then again, in this example, only this capability is listed:
Two of the above capabilites, sharedUserCertificates & enterpriseAuthentication, are restricted capabilites and I would only want to include them if they are indeed needed.
All very confusing. Could you maybe clarify here and in the docs?
The text was updated successfully, but these errors were encountered: