MSIX Windows 10 App Access Denied post-SSO sign-in for Azure migration
We are in the process of migrating our applications into Azure.
We have created an MSIX installer for an internal WPF application that installs to the Windows 10 C:\Program Files\WindowsApps\ folder. When we run the application, it requires us to enter our Single Sign-On (SSO) credentials via the online Windows/Azure web portal. After successfully entering our credentials, we get a following pop-up that says access to a file is denied (see below). We get this error regardless of whether running it normally or as administrator.
We are unable to find anything online that has been helpful in resolving the error. We did try taking ownership of this protected folder and then unchecking the read-only option, but that did not work (nor does that sound like a good idea, but this is troubleshooting). We do not see anything in the MSIX setup project that can resolve this issue. Does anyone know why we are getting this error and how to resolve it?
In the Event Viewer, the following information is provided:
I found the problem - it was the need to store the token in a cache file. When I did a Google search for msalcache, it came back as the TokenCacheHelper, which is in the stack trace. This file appears to be auto-generated with the code output below.
//------------------------------------------------------------------------------
//
// Copyright (c) Microsoft Corporation.
// All rights reserved.
//
// This code is licensed under the MIT License.
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files(the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions :
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.
//
//------------------------------------------------------------------------------
using Microsoft.Identity.Client;
using System.IO;
using System.Runtime.Versioning;
using System.Security.Cryptography;
namespace <AppName>.Helpers
{
static class TokenCacheHelper
{
/// <summary>
/// Path to the token cache
/// </summary>
public static readonly string CacheFilePath = System.Reflection.Assembly.GetExecutingAssembly().Location + ".msalcache.bin3";
private static readonly object FileLock = new object();
public static void BeforeAccessNotification(TokenCacheNotificationArgs args)
{
lock (FileLock)
{
args.TokenCache.DeserializeMsalV3(File.Exists(CacheFilePath)
? ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath),
null,
DataProtectionScope.CurrentUser)
: null);
}
}
public static void AfterAccessNotification(TokenCacheNotificationArgs args)
{
// if the access operation resulted in a cache update
if (args.HasStateChanged)
{
lock (FileLock)
{
// reflect changesgs in the persistent store
File.WriteAllBytes(CacheFilePath,
ProtectedData.Protect(args.TokenCache.SerializeMsalV3(),
null,
DataProtectionScope.CurrentUser)
);
}
}
}
internal static void EnableSerialization(ITokenCache tokenCache)
{
tokenCache.SetBeforeAccess(BeforeAccessNotification);
tokenCache.SetAfterAccess(AfterAccessNotification);
}
}
}
After doing some more searching, I found these two links of relevance:
- https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization#simple-token-cache-serialization-msal-only
- https://github.com/MicrosoftDocs/azure-docs/issues/49182
The relevant code in question is for the CacheFilePath, which is actually stored in a comment:
/// <summary>
/// Path to the token cache. Note that this could be something different for instance for MSIX applications:
/// private static readonly string CacheFilePath =
/// $"{Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData)}\{AppName}\msalcache.bin";
/// </summary>
public static readonly string CacheFilePath = System.Reflection.Assembly.GetExecutingAssembly().Location + ".msalcache.bin3";
The recommended fix for the CacheFilePath is actually invalid. So, I made the following modification:
private static readonly string AppName = System.Reflection.Assembly.GetExecutingAssembly().GetName().Name;
private static readonly string ApplicationDataFolder = $"{Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData)}\\{AppName}\\";
private static readonly string CacheFilePath = $"{ApplicationDataFolder}\\msalcache.bin";
I then added the following method:
public static void CreateApplicationDataDirectory()
{
FileInfo fileInfo = new FileInfo(ApplicationDataFolder);
// Check to see if the directory exists. If it does not then create it. If we do not do this then the token CacheFilePath will
// not be created.
if (!fileInfo.Exists)
Directory.CreateDirectory(fileInfo.Directory.FullName);
}
I then modified the App.Xaml.cs file to call the CreateApplicationDataDirectory right after the ApplicationBuild process:
_clientApp = PublicClientApplicationBuilder.Create(Params.ClientId)
.WithAuthority(AzureCloudInstance.AzurePublic, Params.Tenant)
.WithRedirectUri("http://localhost:1234")
.Build();
TokenCacheHelper.CreateApplicationDataDirectory();
TokenCacheHelper.EnableSerialization(_clientApp.UserTokenCache);
- WPF DataGrid Row Header
- How to Extract Default Control Template In Visual Studio?
- Handle NotifyCanExecuteFor when using Model as ObservableProperty in MVVM Toolkit ViewModel
- Binding default value to visibility if default value is null in ViewModel
- Can't find or load merged resources dictionary
- Which method need to override to round the corner of NotiIcon's ContextMenuStrip?
- VS 2022: Breakpoint will not currently be hit. No symbols have been loaded for this document
- Vertical Align the text inside textbox of DatePicker in C#, WPF
- Newtonsoft.Json.JsonSerializationException: Unable to find a constructor to use for type System.Windows.Ink.Stroke
- WPF event leakage
- MVVM does not receive message
- Drag and drop from explorer not working in WPF app packaged with MSIX
- XAML Binding of a property of an object from a collection using a static enum key
- Why is the WPF Designer not picking up my code changes to my Control Library at design time?
- How to set Canvas.ZIndex to paint a black panel between the controls?
- IEditableObject implementations
- Dispose or kill DispatcherTimer object and Accessing DispatcherTimer object
- How to change the stringformat of Oxyplot track value?
- Changing the start up location of a WPF window
- How to set the location of a WPF window?
- How to avoid threaded Task to be Garbage Collected?
- How to make a Slider Control and progress Bar for Music Player WPF
- WPF animation slow when the mouse is in the window
- WPF loading spinner
- How to Display Arrows for MenuItem?
- Setting WPF image source in code
- In what order are Panels the most efficient in terms of render time and performance?
- Create a grid of controls that share one event handler that can get the button's position
- NETSDK1135 SupportedOSPlatformVersion 10.0.19041.0 cannot be higher than TargetPlatformVersion 7.0
- How can I provide dynamic filtering on an entity collection?