WebAuthenticationBroker does not display credential prompt in intranet scenarios

Question

Hi,

I have a win8 metro application that connects to ADFS for authentication. When I try to connect to ADFS in the intranet scenario, the WebAuthenticatioBroker fails with a HttpStatusCode: 401. In the logs, it states this: AuthHost blocked credential prompt for URL: <https://<adfsserver>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm&...>

However, it works fine when I connect from the internet, as ADFS displays a page for credentials input.

In the intranet scenario, WebAuthenticationBroker does not display credential prompt. Is there a way to enable this? or is this by design? 

Answer 1

Do you have intranet enabled as a capability?

Have you taken a Fiddler trace and compared the successful and failed cases?

---

Jeff Sanders (MSFT)

@jsandersrocks - Windows Store Developer Solutions @WSDevSol
Getting Started With Windows Azure Mobile Services development? Click here
Getting Started With Windows Phone or Store app development? Click here
My Team Blog: Windows Store & Phone Developer Solutions
My Blog: Http Client Protocol Issues (and other fun stuff I support)

Answer 2

Hi Jeff, 

Yes. Also, Fiddler trace does not really show any difference. In case of intranet, the navigation stops once it reaches the ADFS authentication popup redirect with a 401 Unauthorized error.  In the internet scenario, it continues to load the ADFS authentication page and the associated style sheets. All the previous requests and responses show no difference.

With this error: 'AuthHost blocked credential prompt for URL' being logged,  I was assuming that the WebAuthenticationBroker does not allow credential popups. If I use a WebView, the same works in intranet scenarios and the ADFS credential popup is displayed.

Thanks,

Nandini

Answer 3

I just came across this issue as well and can confirm that using a standard Windows 8 WebView handles an HTTP Auth dialog properly, but the WebAuthenticationBroker throws a "AuthHost blocked credential prompt for URL".

I have not been able to find any documentation that states whether or not the WebAuthenticationBroker supports this. Can somebody confirm whether or not there is a way to allow this in the WebAuthenticationBroker? This feels like the method that is recommended by MS, but it is currently preventing users from logging into our app.

Thanks,

Brian

Answer 4

I too have just come across this same issue and it is a really big problem. Third party toolkits like Auth0 are using the WebAuthenticationBroker to handle their authentication flows, however when there is a scenario where the identity provider (ADFS configured for integrated is a good example) throws a 401 to start the negotiate flow the WebAuthenticationBroker simply gives up. This breaks these third party auth libraries and makes it unreasonable to try to change over to using a WebView.  Can we please get an answer to how to get WebAuthenticationBroker to support this, or get it fixed if it is a bug.

Answer 5

Let me recommend this: try removing the Private Networks capability. The reason is explained in this blog post:

http://blogs.msdn.com/b/wsdevsol/archive/2015/02/27/problems-with-navigatetolocalstreamuri-and-intranet-links.aspx

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 6

The link provided is a solution for how to get WebView to navigate to intranet sites. As mentioned in a couple of responses on this thread they have gotten it to work with the WebView. The problem is specific to WebAuthenticationBroker.

That said I did try to remove that capability from my app's manifest and it still exhibits the same behavior.  The WebAuthenticationBroker shows the message "We can't connect to the service you need right now.  Check your network connection or try this again later."  When watching in fiddler this message comes up when the 401 is returned from the IDP to challenge for credentials.

Answer 7

Yes, I am aware that the blog post references WebView directly and not WAB, since I wrote it. WAB is a WebView under the hood that's been modified for this specific scenario. It's not impossible that zone elevation could be causing the same issue with intranet sites if you're hitting it using a domain name that is not fully qualified (I.E. does not have a dot in the name).

Two things for you:
1) Can you try using the IP address instead of the intranet name (what does it look like)?

2) The 401 - does it have a substatus code (401.2, 401.1, etc.)?

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.