当前位置: 动力学知识库 > 问答 > 编程问答 >

c# - AAD - AcquireToken screen blocked because Windows Server ESC

问题描述:

I use the acquireTokenAsync method as follows:

var authenticationContext = new AuthenticationContext(azureActiveDirectoryAuthority);

var authenticationResult =

await authenticationContext.AcquireTokenAsync(

azureActiveDirectoryResource,

azureActiveDirectoryClientId,

new Uri("urn:ietf:wg:oauth:2.0:oob"),

new PlatformParameters(

PromptBehavior.Always,

Process.GetCurrentProcess().MainWindowHandle));

It works fine on Windows10.

When I run the application within Windows Server, which has Enhaced Secutiry Configuration(ESC),

it turns out that the prompt window where the user enter its credentials to authenticate with AzureAD is blocked because the urls:


https:// login.microsoftonline.com

https:// secure.aadcdn.microsoftonline-p.com


are not in the default trusted sites of Internet Explorer security configuration.

The window pop-up getting blocked by IE Security settings

I can change this configuration manually or programmatically (editing registry for example) , but this code is part of an installation that runs on the customer’s server so I can’t change these security settings that easily.

Is there any solution to use this authentication for AzureAD within Windows Server using ESC, without getting blocked within IE?

Is there some other API that doesn’t use IE browser, or somehow using other browser (like chrome that doesn’t block these sites)?

Thanks,

Niv

网友答案:

I can change this configuration manually or programmatically (editing registry for example) , but this code is part of an installation that runs on the customer’s server so I can’t change these security settings that easily

Instead of disable the Windows Server ESC, adding the Microsoft's site to the trust URL is recommend. And we can also done this using code, here is a code sample using PowerShell for your reference:

If($TrustedSites) 
{ 
    #Adding trusted sites in the registry 
    Foreach($TruestedSite in $TrustedSites) 
    { 
        #If the user does not specify the user type, by default the script will add the trusted sites for the current user. 

        If($HTTP) 
        { 
            CreateKeyReg -KeyPath $UserRegPath -Name $TruestedSite  
            SetRegValue -RegPath "$UserRegPath\$TruestedSite" -blnHTTP $true -DWord $DWord 
            Write-Host "Successfully added '$TruestedSite' domain to Internet Explorer trusted Sites." 
        } 
        Else 
        { 
            CreateKeyReg -KeyPath $UserRegPath -Name $TruestedSite  
            SetRegValue -RegPath "$UserRegPath\$TruestedSite" -blnHTTP $false -DWord $DWord 
            Write-Host "Successfully added '$TruestedSite' domain to Internet Explorer trusted Sites." 
        } 
    } 
}

You can refer the full code sample from here.

NOTE:

The script above doesn't work for Windows Server 2016, we need to modify the $UserRegPath from HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains to HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

Is there any solution to use this authentication for AzureAD within Windows Server using ESC, without getting blocked within IE? Is there some other API that doesn’t use IE browser, or somehow using other browser (like chrome that doesn’t block these sites)?

No, there is no such API. By default, the ADAL library for dotnet uses the WebBrowser control to interact with users.( refer the source code here)

分享给朋友:
您可能感兴趣的文章:
随机阅读: