I use the acquireTokenAsync method as follows:
var authenticationContext = new AuthenticationContext(azureActiveDirectoryAuthority);
var authenticationResult =
await authenticationContext.AcquireTokenAsync(
azureActiveDirectoryResource,
azureActiveDirectoryClientId,
new Uri("urn:ietf:wg:oauth:2.0:oob"),
new PlatformParameters(
PromptBehavior.Always,
Process.GetCurrentProcess().MainWindowHandle));
It works fine on Windows10.
When I run the application within Windows Server, which has Enhaced Secutiry Configuration(ESC),
it turns out that the prompt window where the user enter its credentials to authenticate with AzureAD is blocked because the urls:
https:// login.microsoftonline.com
https:// secure.aadcdn.microsoftonline-p.com
are not in the default trusted sites of Internet Explorer security configuration.
The window pop-up getting blocked by IE Security settings
I can change this configuration manually or programmatically (editing registry for example) , but this code is part of an installation that runs on the customer’s server so I can’t change these security settings that easily.
Is there any solution to use this authentication for AzureAD within Windows Server using ESC, without getting blocked within IE? Is there some other API that doesn’t use IE browser, or somehow using other browser (like chrome that doesn’t block these sites)?
Thanks,
Niv
I can change this configuration manually or programmatically (editing registry for example) , but this code is part of an installation that runs on the customer’s server so I can’t change these security settings that easily
Instead of disable the Windows Server ESC, adding the Microsoft's site to the trust URL is recommend. And we can also done this using code, here is a code sample using PowerShell for your reference:
If($TrustedSites)
{
#Adding trusted sites in the registry
Foreach($TruestedSite in $TrustedSites)
{
#If the user does not specify the user type, by default the script will add the trusted sites for the current user.
If($HTTP)
{
CreateKeyReg -KeyPath $UserRegPath -Name $TruestedSite
SetRegValue -RegPath "$UserRegPath\$TruestedSite" -blnHTTP $true -DWord $DWord
Write-Host "Successfully added '$TruestedSite' domain to Internet Explorer trusted Sites."
}
Else
{
CreateKeyReg -KeyPath $UserRegPath -Name $TruestedSite
SetRegValue -RegPath "$UserRegPath\$TruestedSite" -blnHTTP $false -DWord $DWord
Write-Host "Successfully added '$TruestedSite' domain to Internet Explorer trusted Sites."
}
}
}
You can refer the full code sample from here.
NOTE:
The script above doesn't work for Windows Server 2016, we need to modify the $UserRegPath
from HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains
Is there any solution to use this authentication for AzureAD within Windows Server using ESC, without getting blocked within IE? Is there some other API that doesn’t use IE browser, or somehow using other browser (like chrome that doesn’t block these sites)?
No, there is no such API. By default, the ADAL library for dotnet uses the WebBrowser control to interact with users.( refer the source code here)