locked
Azure AD authentication issue RRS feed

  • Question

  • Hi,

    For our internal web application, we are using outlook authentication for our users to login to our application. we are using Azure AD authentication with username and password which was implemented using java.

    recently all our users were enabled with MFA at organizational level. due to which we are getting the below error:

    could you please let us know how we can enable this MFA authentication through java code. attached our code used for doing the authentication using username n pwd.

     @@@@@@@  Inside authenticate  method
    log4j:WARN No appenders could be found for logger (com.microsoft.aad.adal4j.UserDiscoveryRequest).
    log4j:WARN Please initialize the log4j system properly.
    log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
     @@@@@@@ Inside authenticate  exception
    java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AdalClaimsChallengeException: {"error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: f779f750-4c0f-41d3-96f7-cb2cbe8b3b00\r\nCorrelation ID: a08d809e-4e61-44fa-954c-7c707ccec013\r\nTimestamp: 2019-09-03 06:55:36Z","error":"interaction_required","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50076"}
    at java.util.concurrent.FutureTask.report(Unknown Source)
    at java.util.concurrent.FutureTask.get(Unknown Source)
    at org.kony.kpal.auth.impl.MSOAuthProvider.authenticate(MSOAuthProvider.java:50)
    at org.kony.kpal.auth.impl.MSOAuthProvider.main(MSOAuthProvider.java:91)
    Caused by: com.microsoft.aad.adal4j.AdalClaimsChallengeException: {"error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: f779f750-4c0f-41d3-96f7-cb2cbe8b3b00\r\nCorrelation ID: a08d809e-4e61-44fa-954c-7c707ccec013\r\nTimestamp: 2019-09-03 06:55:36Z","error":"interaction_required","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50076"}
    at com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:124)
    at com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:928)
    at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70)
    at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38)
    at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    Inside main exception
    javax.security.auth.login.LoginException: com.microsoft.aad.adal4j.AdalClaimsChallengeException: { .\r\nTrace ID: f779f750-4c0f-41d3-96f7-cb2cbe8b3b00\r\nCorrelation ID: a08d809e-4e61-44fa-954c-7c707ccec013\r\nTimestamp: 2019-09-03 06:55:36Z","error":"interaction_required","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50076"}

    public static String authenticate(String USERNAME, String PASSWORD) throws LoginException {
    		   String name ="";
    		   AuthenticationContext context, authContext; 
               AuthenticationResult result = null;
               ExecutorService service = null;
    		   try {
    	        	System.out.println(" @@@@@@@  Inside authenticate  method");
    	        	 service = Executors.newFixedThreadPool(1);
                    context = new AuthenticationContext(AUTHORITY_URL, false, service);
                    Future<AuthenticationResult> future = context.acquireToken(RESOURCE, CLIENT_ID, USERNAME, PASSWORD, null);
                    result = future.get();
                    String  TOKEN = result.getAccessToken();
                    name = result.getUserInfo().getGivenName();
                    
               	// System.out.println("AUTH success result.toString" +result.toString() );
             	 System.out.println(" @@@@@@@  AUTH success TOKEN ==" +TOKEN );
             	 System.out.println(" @@@@@@@ AUTH success name == " +name );
     
       
    		   }catch (Exception e){			
    			   
    	        	System.out.println(" @@@@@@@ Inside authenticate  exception");
    	            e.printStackTrace();
    	        	throw new LoginException(e.getMessage());
    	        	
    	        } finally {
    	            service.shutdown();
    	        }
            return name;
    		
    		
    	}

    Tuesday, September 3, 2019 7:15 AM

Answers

  • in azure AD i have only one redirect uri : https://localhost:9090/adal4jsample/secure/aad

    im using the same codebase shared as 

    https://github.com/azure-samples/active-directory-java-webapp-openidconnect

    i just updated the web.xml with tenant name , app id and secret key value according to my Azure AD application.

    could you please suggest where exactly in the code i need to check for redirect URI

    • Marked as answer by uvsrajesh Thursday, September 5, 2019 12:42 PM
    Thursday, September 5, 2019 11:32 AM

All replies

  • uvsrajesh, In case you are providing the username and password to your code by pre-populating the username and password or providing a custom signin page by the application itself that asks the user to enter the username and password and then the application caches it for future use. This type of flow is called the Resource-Owner-Password-Credentials-Grant-Flow of OAuth2.0 or the OIDC and is considered to be a silent call. In case you are going by a silent login call, and if user is a federated user or MFA is enabled on that user, the authentication call is going to fail with the errorcode "AADSTS50076", because MFA call could not be completed in a silent auth call.

     

    More on Resource-Owner-Password-Credentials-Grant-Flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

     

    In order to make the MFA work, you need to use Authorization-Code-Grant-Flow of OAuth2.0. In this OAuth2.0 auth flow, the user is prompted to enter the username and password on the AAD's authorize endpoint for OAuth2.0 and then after validating the credentials, AAD gets the MFA prompt to the user.

     

    You can read more about Authorization-Code-Grant-Flow and OIDC here:

     

    Authorization-Code-Grant-Flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

     

    OIDC: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

     

    You can also refer to the following Java code sample that uses OIDC and Authorization-Code-Grant-Flow

    https://github.com/azure-samples/active-directory-java-webapp-openidconnect

     

    Hope this helps.

     

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, September 4, 2019 5:34 AM
  • hi,

    thanks for your response. i have tried using the same codebase by downloading from git and followed all the steps. but i have got the below error when trying to login. could you please provide some inputs here.

    i have given the valid url as per my setup with proper port in redirect url in Azire AD 

    http://localhost:9090/adal4jsample/secure/aad

    Sorry, but we’re having trouble signing you in.

    AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '0a5537ce-e849-4d17-8d4c-480349928b4a'. 

    Thursday, September 5, 2019 6:51 AM
  • uvsrajesh, Make sure in the Redirect URIs section of AAD, you have only one Redirect URI mentioned. Secondly also make sure that in the java code, where the request is being sent, there the request also has the same redirect URI specified.

    Hope this helps.

     

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!



    Thursday, September 5, 2019 10:03 AM
  • in azure AD i have only one redirect uri : https://localhost:9090/adal4jsample/secure/aad

    im using the same codebase shared as 

    https://github.com/azure-samples/active-directory-java-webapp-openidconnect

    i just updated the web.xml with tenant name , app id and secret key value according to my Azure AD application.

    could you please suggest where exactly in the code i need to check for redirect URI

    • Marked as answer by uvsrajesh Thursday, September 5, 2019 12:42 PM
    Thursday, September 5, 2019 11:32 AM
  • it worked. thnq.
    Thursday, September 5, 2019 12:43 PM