none
[UWP] Contacting REST API with Windows Integraged Authentication works on developer machine but not on other machines RRS feed

  • Question

  • I am working on a UWP application which will be run on Windows 10 laptops and tablets.  The environment it will deployed in requires that all users log into their systems with a smart card (so no username/password).  I am using HttpClient to connect to a REST API which is configured for Windows Integrated authentication.  When I run on my development machine, either in VS or using the Release Build output I can connect to the API with no issues.  However when that Release Build output is installed on a different (non-developer) machine it is unable to connect to the server.  The IIS server returns an error with the message: "401 - Unauthorized: Access is denied due to invalid credentials. and the following entry appears in the IIS log:

       "2019-07-03 15:49:57 <Server> X.X.X.X GET /api/<GetMethod> - 80 - Y.Y.Y.Y - - myserver.com 401 2 5 31"

    In addition, the UWP manifest has the following capabilities assigned: Enterprise Authentication, Internet (client), Private Networks (Client & Server), and User Account Information.

    The relevant code snippet is:

    using (HttpClient client =
    	new HttpClient(new HttpClientHandler()
    	{
    		PreAuthenticate = true,
    		UseDefaultCredentials = true,
    		Credentials = CredentialCache.DefaultNetworkCredentials
    	}))
    {
    	client.BaseAddress = new Uri(RequestUri);
    	client.DefaultRequestHeaders
    		.Accept
    		.Add(new MediaTypeWithQualityHeaderValue("application/json"));
     
    	HttpResponseMessage response = null;
     
    	try
    	{
    		response = await client.GetAsync(RequestUri);
    

                  }

    ....

    Can anyone suggest what I am doing incorrectly in my request configuration?

    TIA

    Ron L


    Ron L


    • Edited by Ron L Wednesday, July 3, 2019 3:44 PM
    Wednesday, July 3, 2019 2:54 PM

Answers

  • I found what the problem is.  The site being contacted (URL of the API) using Windows Integrated Authentication MUST be added to the list of Intranet Sites in the user's Internet Options.  To get to this, open Internet Options from either the Control Panel or the browser, click on the Security tab, click on Local Intranet, Click on the Sites button, click on the Advanced button, and enter the URL into the list.

    Ron L

    • Marked as answer by Ron L Tuesday, July 16, 2019 6:15 PM
    Tuesday, July 16, 2019 6:15 PM

All replies

  • Hi,

    According to the document, "WA is not enabled by default because applications requesting the Enterprise Authentication or Shared User Certificates capabilities require a higher level of verification to be accepted into the Windows Store, and not all developers may wish to perform the higher level of verification." So have you enabled the Shared User Certificates capability?

    For more information, please refer:Universal Windows Platform-specific considerations with MSAL.NET

    Best regards,

    Roy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, July 4, 2019 3:21 AM
    Moderator
  • Roy

    Thank you for your response.  Unfortunately, adding the "Shared User Certificates" capability did not change the behavior.  I have started looking into using MSAL, but the example here:

    https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-acquire-token

    requires a "clientId" which is not specified.  Is this something that is received when an app is published through the App Store?  If so, is there a way to assign it in an enterprise situation?  We are looking at an application that, at least initially, will be only published within the enterprise.

    TIA


    Ron L


    • Edited by Ron L Monday, July 8, 2019 1:10 PM
    Monday, July 8, 2019 1:10 PM
  • Hi,

    Well, I haven't where you are adding the cerdentials. I'd suggest you to check the Credentials in both working scenario and non-working scenario first. You could get the NetworkCredential object you are using in both scenarios from the HttpClinetHandler. When you get them, you could check the domain, the username and the password to see if they are different.

    Best regard,

    Roy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, July 10, 2019 1:41 AM
    Moderator
  • I found what the problem is.  The site being contacted (URL of the API) using Windows Integrated Authentication MUST be added to the list of Intranet Sites in the user's Internet Options.  To get to this, open Internet Options from either the Control Panel or the browser, click on the Security tab, click on Local Intranet, Click on the Sites button, click on the Advanced button, and enter the URL into the list.

    Ron L

    • Marked as answer by Ron L Tuesday, July 16, 2019 6:15 PM
    Tuesday, July 16, 2019 6:15 PM