6

I have a c# console application that references the ADAL.net library (Microsoft.IdentityModel.Clients.ActiveDirectory version 2.19.208020213)

The purpose of the console app is to consume a HTTP endpoint which is protected with ADFS.

The implementation of the ADFS auth is as follows....

var uc = new UserCredential("user", "password");
var ctx = new AuthenticationContext("https://sts.example.com/adfs", false);
var token = ctx.AcquireToken(ClientResourceUri, ClientId, uc);

The call to AcquireToken throws an exception...

This method overload is not supported by 'https://sts.example.com/adfs/'

Calling AcquireToken without the UserCredential object, and instead providing a redirectUri works, but throws up a dialog prompting for username and password, which is unsuitable as the console app will be executed in a non user environment...

var redirect = new Uri("https://example.com/arbitaryRedirect");
var token = ctx.AcquireToken(ClientResourceUri, ClientId, redirect);
//dialog is shown

If i switch to the latest alpha release of the adal.net library (3.6.212041202-alpha) the error is more revealing...

MSIS9611: The authorization server does not support the requested 'grant_type'. The authorization server only supports 'authorization_code' or 'refresh_token' as the grant type.

However, mining google yields very little.

Is it actually possible to authenticate silently against ADFS?

Would i be correct in assuming (based upon answers in other posts) that the correct approach is to use WsTrustChannelFactory instead?

If not, what is the best approach?

Community
  • 1
  • 1
Baldy
  • 3,621
  • 4
  • 38
  • 60
  • 1
    May I suggest enabling the debug log as per https://github.com/AzureAD/azure-activedirectory-library-for-dotnet ? If I were you, I'd also collect a Fiddler to see what the request sent to https://sts.example.com/adfs/oauth2/authorize endpoint was. That MSIS9611 is usually accompanied with MSIS9245. – maweeras Jan 13 '16 at 22:06

1 Answers1

5

It is possible using ADAL 3.x and ADFS in Windows Server 2016, with pretty much the same code you posted. Combinations of older versions of either ADAL or ADFS won't work. Alternatively, you can use WS-Trust - which is significantly harder to handle, but can get the job done.

vibronet
  • 7,364
  • 2
  • 19
  • 21
  • Thanks Vittorio, i've been through quite a few of your blog posts over the last few days while trying to piece this together. I've got WsTrust authenticating and returning an RST via soap, now i just have to figure out if i can somehow convert that into a JWT (or any kind of token that will work with HTTP) and use it in a HTTP request to the API thats protected by ADFS. – Baldy Jan 14 '16 at 14:55
  • You should be able to get JWT directly via wstrust- the adfs docs should give some hints about it though I have never done it myself – vibronet Jan 14 '16 at 16:05
  • @Baldy: I'm facing the same challenge - I have to access a REST API which is protected by ADFS running on Windows Server 2012R2. Did you figure out a way to achieve this? – nyn3x Feb 02 '18 at 16:07
  • is there documentation as to how to set up ADFS 2016 to allow the OPs request? I cannot for the life of me get this to work and think i do not have the right configuration settings on ADFS 2016. – JoeyD Apr 18 '18 at 20:30