Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

AcquireTokenSilentAsync using Integrated authentication on Windows (Kerberos)

Bogdan Gavril edited this page Jan 24, 2019 · 16 revisions

Integrated Windows Authentication

If your desktop or mobile application runs on Windows, and on a machine connected to a Windows domain - AD or AAD joined - it is possible to use the Integrated Windows Authentication (IWA) to acquire a token silently. No UI is required when using the application.

Constraints

  • IWA is for apps written for .NET Framework and UWP platforms
  • IWA does NOT bypass MFA (multi factor authentication). If MFA is configured, IWA might fail if an MFA challenge is required, because MFA requires user interaction.

This method relies on an a protocol exposed by Active Directory (AD). If a user was created in Azure Active Directory without AD backing ("managed" user), this method will fail. Users created in AD and backed by AAD ("federated" users) can benefit from this non-interactive method of authentication.

Code

The code is really simple. You need to instantiate a UserCredential, and use the corresponding override of AcquireTokenAsync:

result = await context.AcquireTokenAsync(resource, clientId, new UserCredential());

Note that, sometimes, policies set by the administrators on machines do not enable the logged-in user to be looked-up. In that case you should use the constructor of ``UserCredential` passing the upn of the user as a parameter, instead of the default, parameterless constructor. This is also the case of users that are "Work And School" joined.

result = await context.AcquireTokenAsync(resource, clientId,
                                         new UserCredential("[email protected]"));

image

Note that this method is not available as part of the AuthenticationContext class, but as an AcquireTokenAsync extension method of the AuthenticationContextIntegratedAuthExtensions class. This extension method takes as a parameter, in addition to the resource and clientId of the public client application, an instance of UserCredential.

Samples illustrating the windows integrated authentication

Sample Description
active-directory-dotnet-native-headless A windows desktop program that demonstrates non-interactive authentication to Azure AD using a username & password and optionaly windows integrated authentication.
Clone this wiki locally