Azure的AD AcquireToken不与应用程序密码工作 [英] Azure AD AcquireToken does not work with app password
问题描述
我想验证使用.NET库ADAL Azure中AD用户的密码。
这对于没有MFA普通用户帐户工作正常,但我遇到了问题,这样做对谁已经MFA激活用户。
I'm trying to verify a user's password in Azure AD using the .NET ADAL library. This works fine for a regular user account without MFA, but I ran into problems doing this for a user who has MFA activated.
在使用用户的实际密码,我得到了 AADSTS50076:需要申请密码
,这是很公平,但是当我再创建一个新的应用程序密码,我收到错误 AADSTS70002:错误验证凭据。 AADSTS50020:无效的用户名或密码
。我创建了多个应用程序的密码,但他们都没有工作。
When using the user's actual password, I got AADSTS50076: Application password is required.
, which is fair enough, but when I then created a new app password, I received the error AADSTS70002: Error validating credentials. AADSTS50020: Invalid username or password
. I've created multiple app passwords but they all do not work.
用于尝试验证的code是如下:
The code used to attempt authentication is as follows:
var ac = new AuthenticationContext("https://login.windows.net/my-tenant.com");
var authResult = ac.AcquireToken("https://graph.windows.net", "my-client-id", new UserCredential("my.account@my-tenant.com", "my-password"));
这是试图进行身份验证的用户是全球管理员在本适航指令。
The user that is trying to authenticate is a Global Admin in this AD.
它甚至有可能为有MFA?
Is it even possible to do authentication like this for a user with MFA?
推荐答案
因此,要回答我的问题有点,我使出执行以下操作(清理为了简洁):
So, to answer my own question somewhat, I resorted to doing the following (cleaned up for brevity):
public class AzureAdAuthenticationProvider
{
private const string AppPasswordRequiredErrorCode = "50076";
private const string AuthorityFormatString = "https://login.windows.net/{0}";
private const string GraphResource = "https://graph.windows.net";
private AuthenticationContext _authContext;
private string _clientId;
public AzureAdAuthenticationProvider()
{
var tenantId = "..."; // Get from configuration
_authContext = new AuthenticationContext(string.Format(AuthorityFormatString, tenantId));
}
public bool Authenticate(string user, string pass)
{
try
{
_authContext.AcquireToken(GraphResource, _clientId, new UserCredential(user, pass));
return true;
}
catch (AdalServiceException ase)
{
return ase.ServiceErrorCodes.All(sec => sec == AppPasswordRequiredErrorCode);
}
catch (Exception)
{
return false; // Probably needs proper handling
}
}
}
这不是pretty,但它的工作。
It's not pretty, but it does the job.
通过使用服务错误codes.All()
,我保证,只有当出现一个错误AppPasswordRequired,认证成功。
By using ServiceErrorCodes.All()
, I ensure that only when a single AppPasswordRequired error occurs, authentication has succeeded.
这种方法唯一的缺点,就是启用了MFA用户必须使用自己的实际帐号密码登录。使用一个应用程序的密码似乎并没有得到支持。
The only disadvantage to this method, is that a user with MFA enabled has to use their actual account password to login. Using an app password does not seem to be supported.
这篇关于Azure的AD AcquireToken不与应用程序密码工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!