ADAL AcquireToken with ClientCredential fails with invalid_client (ACS50012) RRS feed

  • Question

  • My Azure AD "web application" won't allow me to get an auth token using ADAL's AuthenticationContext.AcquireToken method with ClientCredential.

    I am trying to use Microsoft.IdentityModel.Clients.ActiveDirectory version 1.0.3 (from NuGet).

    (I can't use the overload that prompts the user to login because I'm writing a service, not an app.)

    I configured my Azure AD web application as described in various tutorials/samples (e.g. [ADAL - Server to Server Authentication](http://code.msdn.microsoft.com/windowsazure/AAL-Server-to-Server-9aafccc1)).

    My code looks like:

    AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/thommmondago.onmicrosoft.com");
    ClientCredential cc = new ClientCredential("41151135-61b8-40f4-aff7-8627e9eaf853", clientSecretKey);
    AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);

    The `AcquireToken` line throws an exception:

        sts_token_request_failed: Token request to security token service failed.  Check InnerException for more details

    The inner exception is a WebException, and the response received looks like an oauth error:

        { "error":"invalid_client",
         "error_description":"ACS50012: Authentication failed."
         "timestamp":"2014-03-17 12:26:19Z",
         "correlation_id":"b304af2e-2748-4067-99d0-2d7e55b121cd" }

    Bypassing ADAL and using curl with the oauth endpoint also gives the same error.

    My code works if I use the details of the Azure application that I found [here](https://github.com/MSOpenTech/AzureAD-Node-Sample/wiki/Windows-Azure-Active-Directory-Graph-API-Access-Using-OAuth-2.0):

    AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/graphDir1.onmicrosoft.com");
    ClientCredential cc = new ClientCredential("b3b1fc59-84b8-4400-a715-ea8a7e40f4fe", "FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=");
    AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);

    So it's not an error with my code. I think it's either an error with my Azure AD, or I've got the ClientCredential parameters wrong.

    Someone on stackoverflow has the same issue and no answer: http://stackoverflow.com/questions/21797154/azure-active-directory-webapi-server-to-server?rq=1

    Can anyone replicate creating a new Azure account, adding a web application to the Default Directory Azure AD, and authenticating with it using ADAL and ClientCredential?

    Monday, March 17, 2014 4:28 PM


  • Hi,

    We are seeing some errors with applications created in a several day time range, ending yesterday. We are continuing to fix up these applications but I don't have a good eta when this will be done. I'm apologize for the impact here. 

    Can you try creating a new application and retying the operation with the new client id?


    • Marked as answer by tj-mondago Thursday, March 20, 2014 11:43 AM
    Wednesday, March 19, 2014 5:29 PM

All replies

  • I have something similar, using less sophisticated coding.


    Either its a bug, or its a new constraint: that naming a directory resource port constrains the token issuer from responding to a (manually-keyed) client_credential granting processes.  Rather, one MUST use an id-token, etc.

    Three other pieces of sample code fail, similarly - which consolidated my knowhow, if nothing else.

    Monday, March 17, 2014 5:33 PM
  • I encounted exactly the same problem today.

    I can acquire token using the application registed in AD two weeks ago, either through ADAL or direct http request to oauth endpoint. But when I add a new application in AD to acquire token to access graph API today, "Bad request 400" "ACS50012: Authentication failed" error appears.

     I'm sure the client id and secret are correct. So I wonder whether the issue is caused by recent Azure AD update???

    Tuesday, March 18, 2014 7:38 AM
  • Glad it's not just me then.

    Hopefully Vitorrio or someone on his team will see this thread and be able to comment...

    Wednesday, March 19, 2014 1:21 PM
  • Hi all,

    can you provide details on how you created the application? Via portal or Visual Studio? For the call to the Graph to work, you must set permissions for it.

    I would suggest looking at the configure tab for your app in the portal, and see if you have permisisons for accessing the directory. Something like the following:

    Vittorio [MSFT]

    Wednesday, March 19, 2014 4:20 PM
  • I used the Portal to create the application.

    During the wizard, I selected "an application my organisation is developing".

    Then "Web application and/or web api".

    Anything in the sign-on url and app id uri (I believe it doesn't matter what is put here, as I just want to use this app to get a token for Graph and nothing else).

    I enabled all permissions:


    Thanks for helping us!

    • Edited by tj-mondago Wednesday, March 19, 2014 4:34 PM
    Wednesday, March 19, 2014 4:30 PM
  • Hi,

    We are seeing some errors with applications created in a several day time range, ending yesterday. We are continuing to fix up these applications but I don't have a good eta when this will be done. I'm apologize for the impact here. 

    Can you try creating a new application and retying the operation with the new client id?


    • Marked as answer by tj-mondago Thursday, March 20, 2014 11:43 AM
    Wednesday, March 19, 2014 5:29 PM
  • well done. It now works as expected. A day or so or ago, the same process failed.

    testing client_credentials http://wp.me/p1fcz8-4WT via @wordpressdotcom

    my azure mobile sites webapi script still doesn't work, when setting up to read the users record. But, I cannot blame the get directory-reading token, now.

    Thursday, March 20, 2014 1:14 AM
  • Thanks, it is working on new apps.

    Is there anything we can do on our end to existing apps to make them work? In case it happens again in the future?

    Thursday, March 20, 2014 11:44 AM
  • Folks,

    First of all sorry for the inconvenience here.  We actually had 2 bugs here. 

    The first issue was an issue with the STS not issuing a token (invalid_client), due to a problem with a recent change.  This was unrelated to setting the permissions to other applications control in the UX.

    The second issue was an issue with the aforementioned UX control (well to be fair in the underlying platform), that wasn't actually assigning the permissions when setting Read Directory Data or Read & Write Directory Data.  In this case, getting an access token would be successful, but calls to the Graph API would fail with an "Authorization_RequestDenied" error response.

    Both these issues are now fixed.  On the second issue, it does indeed work for new apps.  For existing apps created using the new control, that suffered from this problem, toggling the permission in the UX and saving *should* fix the issue.  If it doesn't, try deleting the underlying service principal through PowerShell, and then toggling the permissions in the UX and saving.


    Dan Kershaw [msft]

    Thursday, March 20, 2014 5:05 PM
  • Hi  Dan,

    I just posted a question stackoverflow related to Access Token, getting Bad Request Error: AADSTS50001.


    Is this also a known issue to be fixed? If not could you please help me in fixing this.

    Thank you,



    Thank you, Regards, Srigopal

    Tuesday, April 1, 2014 7:59 PM
  • doesnt feel like same issue (set).
    Tuesday, April 1, 2014 9:51 PM

    Still have sts_token_request_failed issue here.

    Executing this code

                string apiResourceId = "https://graph.windows.net";
                string aadInstance = "https://login.windows.net/{0}";        
                string tenant = "XXX3c003-ac06-4793-996c-9894cbf6014e";
                string clientId = "XXXb47b4-12b2-4098-bae8-36c49f6f6578";
                string appKey = "XXXOc86LzJGELUad6WILuLRGXi4quKcF4/rxbBp7DPQ=";
                string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
                var authContext = new AuthenticationContext(authority);

    Works locally but when I run it from an azurewebsite it throws 

    sts_token_request_failed: Token request to security token service failed. 

    Friday, April 25, 2014 1:24 AM
  • I solved upgrading 'Microsoft.IdentityModel.Clients.ActiveDirectory' package to '2.6.1-alpha' still didn't figure out what's going on here.

    Friday, April 25, 2014 1:44 AM
  • I had created the application after 6/20 still I am facing the same issue when I am using v1.0.4. It is properly working with v2.6.2-alpha. It is alpha version so can you please let me know when stable version will be available?




    Sunday, June 29, 2014 5:39 PM
  • I have same issue. With test data all works fine:

      tenant: 'graphDir1.onMicrosoft.com',
      clientid: 'b3b1fc59-84b8-4400-a715-ea8a7e40f4fe',
      clientsecret: 'FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw='

    But with my credentials i have same error:

        "error": "invalid_client",
        "error_description": "ACS50012: Authentication failed.\r\nTrace ID: ed40e697-1821-42dd-8d4e-7c851c6c80c4\r\nCorrelation ID: 31e806ad-c349-4d1f-95e6-79e775ce19c0\r\nTimestamp: 2014-08-28 10:35:00Z",
        "error_codes": [
        "timestamp": "2014-08-28 10:35:00Z",
        "trace_id": "ed40e697-1821-42dd-8d4e-7c851c6c80c4",
        "correlation_id": "31e806ad-c349-4d1f-95e6-79e775ce19c0"

    So what should i do? Thanks!

    Thursday, August 28, 2014 10:41 AM
  • Same for me...

    ACS50012: Authentication failed.
    Trace ID: fc4cf3fb-277c-40eb-b484-16526e3b3a53
    Correlation ID: 19af4531-2e09-48d7-9e56-68ca67037555
    Timestamp: 2014-11-20 15:00:26Z

    Works fine with an older created application, but not with the credentials of a newer created application.

    Any response from a MSFT official?

    Thursday, November 20, 2014 3:03 PM
  • Same here as well.  Able to authenticate client credential flow to a sample application from a couple years ago, but get invalid_client response for apps created yesterday and today. By not specifying the API version in the request, I got a more detailed error message although I'm sure my secret is correct.

    error_description=AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.

    Trace ID: 5d151039-347f-4c57-b523-7258715da908

    Correlation ID: 7b7f9464-6a55-4764-9125-8e703ccd72a4

    Timestamp: 2014-11-21 15:58:28Z

    Friday, November 21, 2014 4:13 PM
  • I have the same issue, an app that has worked for years now fails with the same error as Austin.  It doesn't matter which App I use as several of them, they use the same AAD instance.

    Saturday, April 18, 2015 6:27 PM
  • Do you have an update from MSFT on this issue?
    Tuesday, February 14, 2017 10:55 PM
  • Is there anything documented  with more details of what the "errors" are you've noticed, and the time range... I have been having all sorts of issues with Azure AD and ive been trying to configure it for the first time, teaching myself how to do it, and i thought i was just loosing it.
    • Edited by Cilmike2 Wednesday, March 22, 2017 2:49 PM
    Wednesday, March 22, 2017 2:48 PM
  • Hard to believe this has been going on for over 3 years.  I just ran into it in a .net core 1.1 app I'm building.  Surely someone at Microsoft has a checklist of things that must be done to make this work. 
    Sunday, August 27, 2017 6:36 AM
  • I'm getting these errors right now and my Mobile App Service has been in use for several years then all of a sudden I get an error saying invalid client secret?  I haven't changed anything.  Whats going on with Microsoft Azure and Azure AD B2C?  I'm using Identity Client with Xamarin Forms.
    Thursday, August 30, 2018 1:51 AM