-
Notifications
You must be signed in to change notification settings - Fork 340
Known issues
MSAL throws a few types of exceptions, please see here.
Please read the guide on High Availability
System.Security.Cryptography.CryptographicException: A device attached to the system is not functioning.
When running in a tight loop, the crypto API sometimes throws the exception above. The root cause seems to be Windows API and affects all .NET versions, although higher .NET versions (4.6+) seem to encounter this more. We are working on finding a workaround. The issue is mostly seen in Client Credential flow.
Users are unable to login interactively and a "Device is not compliant" error is shown when:
- the tenant admin has enabled the "Require device to be marked as compliant" Conditional Access policy
- the app is invoking public client flows (i.e. rich client apps, not web sites)
- the app is using the embedded browser control available in ADAL or MSAL (this is the default for .NET Framework apps)
- configure MSAL to use the system (default OS) browser (details here). Both Chrome and Microsoft Edge browsers are able to satisfy the device policy.
- if using ADAL, migrate to MSAL first. There is no mitigation for ADAL use.
- MSAL library will use a more capable embedded browser control, which is based on Microsoft Edge, once this is publicly available. Tracking issue. Applications will need to package the browser runtime (details here)
- MSAL will offer integration with Windows Authentication Manager, for an authentication experience that is more aligned with Windows 10's vision. This also satisfies the conditional access policies. More details and tracking issues here
On Android, an AndroidActivityNotFound exception is thrown when the device does not have a browser with tabs
https://docs.microsoft.com/en-gb/azure/active-directory/develop/msal-net-system-browser-android-considerations#known-issues
Most issues on UWP occur due to network problems, such as proxies that block the traffic etc. Integrated Windows Auth may also be blocked by admins. For more details see:
On a Desktop app, a StateMismatchError exception is thrown when the using a long Facebook ID (via B2C) in conjunction with the embedded browser.
For more details, please refer: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/StateMismatchError
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Xamarin Docs
- UWP
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- High Availability
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code