Skip to content

Known issues

Bogdan Gavril edited this page Nov 30, 2020 · 18 revisions

MSAL throws a few types of exceptions, please see here.

Confidential Client

Please read the guide on High Availability

System.Security.Cryptography.CryptographicException: A device attached to the system is not functioning.

When running in a tight loop, the crypto API sometimes throws the exception above. The root cause seems to be Windows API and affects all .NET versions, although higher .NET versions (4.6+) seem to encounter this more. We are working on finding a workaround. The issue is mostly seen in Client Credential flow.

Public Client

Device Compliance failures on Windows 10

Users are unable to login interactively and a "Device is not compliant" error is shown when:

  • the tenant admin has enabled the "Require device to be marked as compliant" Conditional Access policy
  • the app is invoking public client flows (i.e. rich client apps, not web sites)
  • the app is using the embedded browser control available in ADAL or MSAL (this is the default for .NET Framework apps)

Mitigation

  • configure MSAL to use the system (default OS) browser (details here). Both Chrome and Microsoft Edge browsers are able to satisfy the device policy.
  • if using ADAL, migrate to MSAL first. There is no mitigation for ADAL use.

Long term fixes

  • MSAL library will use a more capable embedded browser control, which is based on Microsoft Edge, once this is publicly available. Tracking issue. Applications will need to package the browser runtime (details here)
  • MSAL will offer integration with Windows Authentication Manager, for an authentication experience that is more aligned with Windows 10's vision. This also satisfies the conditional access policies. More details and tracking issues here

Android

On Android, an AndroidActivityNotFound exception is thrown when the device does not have a browser with tabs https://docs.microsoft.com/en-gb/azure/active-directory/develop/msal-net-system-browser-android-considerations#known-issues

iOS

Please see: https://docs.microsoft.com/en-gb/azure/active-directory/develop/msal-net-xamarin-ios-considerations#known-issues-with-ios-12-and-authentication

UWP

Most issues on UWP occur due to network problems, such as proxies that block the traffic etc. Integrated Windows Auth may also be blocked by admins. For more details see:

https://docs.microsoft.com/en-gb/azure/active-directory/develop/msal-net-uwp-considerations#troubleshooting

Desktop

On a Desktop app, a StateMismatchError exception is thrown when the using a long Facebook ID (via B2C) in conjunction with the embedded browser. For more details, please refer: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/StateMismatchError

Build issues

Behaviour: an error similar to Microsoft.Windows.SDK.Contracts.targets(4,5): error : Must use PackageReference is thrown

Starting with version 4.23, MSAL references Microsoft.Windows.SDK.Contracts. NuGet can only resolve this reference if the application consuming MSAL references it as <PackageReference> and not via the legacy packages.config mechanism. See #2247 for details on how to fix this.

Getting started with MSAL.NET

Acquiring tokens

Desktop/Mobile apps

Web Apps / Web APIs / daemon apps

Advanced topics

News

FAQ

Other resources

Clone this wiki locally