Brokered authentication in iOS 13 not working

[mfeatherSTAR]

I'm using ADAL.Net v5.2.2
I'm using Microsoft Authenticator app v6.4.6

Opens up Authenticator app fine but as soon as I pick my account it bombs out with Something Went Wrong error message and doesn't return anything to my iPhone app ?

Any assistance or advice on this matter would be appreciated (I've also tried ADAL 5.2.7)

[bgavrilMS]

Hi @mfeatherSTAR - Apple introduced some changes in iOS 13 that broke our integration with Authentication. I believe we've captured all this with #1642 and some other changes.

Can we get some logs please to investigate further, using the latest ADAL ?
Also, please consider moving to MSAL. ADAL is now deprecated and we will only fix critical issues (although I would think this qualifies).

[mfeatherSTAR]

Hi Bogdan, Thanks for your response. To confirm I have tried ADAL 5.2.2, ADAL 5.2.7 and MSAL 4.13.0 all with the same result. It opens Authenticator then when I select the Azure AD account I get the “Something went wrong..” message as attached. Here is the ADAL log using 5.2.7: 2020-05-20 15:54:10.443 StarMobile_IOS[461:28727] 2020-05-20T22:54:10.4430000Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: ADAL PCL.iOS with assembly version '5.2.7.0', file version '5.2.7.0' and informational version '5.2.7' is running... 2020-05-20 15:54:10.443 StarMobile_IOS[461:28727] Information 2020-05-20T22:54:10.4433170Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: ADAL PCL.iOS with assembly version '5.2.7.0', file version '5.2.7.0' and informational version '5.2.7' is running... 2020-05-20 15:54:10.445 StarMobile_IOS[461:28727] 2020-05-20T22:54:10.4454920Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: === Token Acquisition started: CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (0 items) Authentication Target: User , Authority Host: login.microsoftonline.com 2020-05-20 15:54:10.445 StarMobile_IOS[461:28727] Information 2020-05-20T22:54:10.4457780Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: === Token Acquisition started: CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (0 items) Authentication Target: User , Authority Host: login.microsoftonline.com Thread started: #3 Thread started: #4 Thread started: <Thread Pool> #5 Thread started: <Thread Pool> #6 Thread started: <Thread Pool> #7 Thread started: <Thread Pool> #8 2020-05-20 15:54:11.304 StarMobile_IOS[461:28920] 2020-05-20T22:54:11.3048380Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: Either a token was not found or an exception was thrown. 2020-05-20 15:54:11.305 StarMobile_IOS[461:28920] Verbose 2020-05-20T22:54:11.3050040Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: Either a token was not found or an exception was thrown. 2020-05-20 15:54:11.309 StarMobile_IOS[461:28727] 2020-05-20T22:54:11.3089810Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: iOS Broker (msauthv3://) can be invoked. 2020-05-20 15:54:11.309 StarMobile_IOS[461:28727] Information 2020-05-20T22:54:11.3090330Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: iOS Broker (msauthv3://) can be invoked. 2020-05-20 15:54:11.309 StarMobile_IOS[461:28920] 2020-05-20T22:54:11.3091700Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: Trying to acquire a token using the broker... 2020-05-20 15:54:11.309 StarMobile_IOS[461:28920] Verbose 2020-05-20T22:54:11.3092410Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: Trying to acquire a token using the broker... 2020-05-20 15:54:11.328 StarMobile_IOS[461:28920] 2020-05-20T22:54:11.3281220Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: The SecStatusCode from trying to get the broker application token is: SecStatusCode: ItemNotFound 2020-05-20 15:54:11.328 StarMobile_IOS[461:28920] Information 2020-05-20T22:54:11.3281970Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: The SecStatusCode from trying to get the broker application token is: SecStatusCode: ItemNotFound 2020-05-20 15:54:11.328 StarMobile_IOS[461:28920] 2020-05-20T22:54:11.3282700Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: Invoking the iOS broker. 2020-05-20 15:54:11.328 StarMobile_IOS[461:28920] Information 2020-05-20T22:54:11.3283060Z: 8d1c6a4f-9a05-45d0-b77e-ea81f2ef6d1f - AdalLoggerBase.cs: Invoking the iOS broker. 2020-05-20 15:54:12.282 StarMobile_IOS[461:28727] Can't end BackgroundTask: no background task exists with identifier 2 (0x2), or it may have already been ended. Break in UIApplicationEndBackgroundTaskError() to debug. I did send the logs to Microsoft and got the Incident ID#: QWMUEB6U Thanks for your help, Mark From: Bogdan Gavril <notifications@github.com> Sent: Wednesday, May 13, 2020 9:19 AM To: AzureAD/azure-activedirectory-library-for-dotnet <azure-activedirectory-library-for-dotnet@noreply.github.com> Cc: mfeatherSTAR <mfeather@starplc.com>; Mention <mention@noreply.github.com> Subject: Re: [AzureAD/azure-activedirectory-library-for-dotnet] Brokered authentication in iOS 13 not working (#1703) Hi @mfeatherSTAR<https://github.com/mfeatherSTAR> - Apple introduced some changes in iOS 13 that broke our integration with Authentication. I believe we've captured all this with #1642<#1642> and some other changes. Can we get some logs please to investigate further, using the latest ADAL ? Also, please consider moving to MSAL<https://github.com/AzureAD/microsoft-authentication-library-for-dotnet>. ADAL is now deprecated and we will only fix critical issues (although I would think this qualifies). — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#1703 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKE55TDL6WKOZLFSHET2ZR3RRLCAXANCNFSM4MZYKXAA>. Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.

[henrik-me]

@mfeatherSTAR : Is this only an issue on iOS13? Did it use to work?
Apple has been sending out hotfixes to iOS13 for issues which impacted brokered scenarios, did you validate ensuring you are using the very latest iOS13 updates from Apple?

Thanks for providing the incident id. We will look at the logs.

[mfeatherSTAR]

Using iOS 13.3.1. I can jump to 13.5 tonight. I’ve not tried it on anything other than iOS13 as it’s new InTune functionality that I’m trying to add. Parts of it work fine, its just this brokered auth bit that hangs. I do have the required InTune functionality working in the Android app using the same Azure setup. From: henrikm <notifications@github.com> Sent: Wednesday, May 27, 2020 3:33 PM To: AzureAD/azure-activedirectory-library-for-dotnet <azure-activedirectory-library-for-dotnet@noreply.github.com> Cc: Mark Feather <Mark.Feather@iris.co.uk>; Mention <mention@noreply.github.com> Subject: Re: [AzureAD/azure-activedirectory-library-for-dotnet] Brokered authentication in iOS 13 not working (#1703) @mfeatherSTAR<https://github.com/mfeatherSTAR> : Is this only an issue on iOS13? Did it use to work? Apple has been sending out hotfixes to iOS13 for issues which impacted brokered scenarios, did you validate ensuring you are using the very latest iOS13 updates from Apple? Thanks for providing the incident id. We will look at the logs. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#1703 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKE55TEO5NSDNA4T3C33FELRTWIKFANCNFSM4MZYKXAA>. Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.

[henrik-me]

@mfeatherSTAR : Thanks, from what I know the 13.5 is required to rule out iOS 13 OS issues.

[henrik-me]

@mfeatherSTAR : unfortunately the logs doesn't really say anything else, thus if updating to 13.5 doesn't solve the issue we would need a repro to be able to dig further.

It will help if you retry using the latest MSAL and ensure you follow all the steps as described in:
MSAL iOS Broker steps

If after updating iOS, following the 7 steps (pay special attention to the entitlements), redirect uri things still doesn't work, please provide the entire detailed MSAL log, the entitlements file as well as the plist.info (will provide an email address should that be needed)

[mfeatherSTAR]

Ok. So I’ve upgraded to iOS 13.5 and still have an issue trying to use ADAL libraries. I have had some success using the MSAL libraries though ! Brokered authentication is now working with MSAL but I really need the official answer from Microsoft on ADAL. From my experimenting it seems the Authenticator crash is caused by an invalid redirectURI, or one that doesn’t match info.plist settings. I can recreate the exact same crash “Something went wrong” using MSAL if I pass the wrong redirectURI. In ADAL my info plist is as follows: <key>CFBundleURLTypes</key> <array> <dict> <key>CFBundleTypeRole</key> <string>Editor</string> <key>CFBundleURLName</key> <string>bundle-id</string> <key>CFBundleURLSchemes</key> <array> <string>schema</string> </array> </dict> </array> <key>LSApplicationQueriesSchemes</key> <array> <string>msauth</string> </array> I try and acquiretoken using redirectURI = “schema://bundle-id” and get the “Something went wrong” message in Authenticator before I’m even prompted for a password or anything is checked in Azure. I’d like the official answer on whether this is possible: InTune integration with Conditional Access Policies, thereby requiring Brokered Authentication…..using latest ADAL library ? As I said things are looking better with MSAL but it’s a leap we weren’t ready to take and there’s lots more to change in our app before we can release with MSAL. It would save a lot of (already wasted) time if we can stick with ADAL. From: henrikm <notifications@github.com> Sent: Wednesday, May 27, 2020 8:59 PM To: AzureAD/azure-activedirectory-library-for-dotnet <azure-activedirectory-library-for-dotnet@noreply.github.com> Cc: Mark Feather <Mark.Feather@iris.co.uk>; Mention <mention@noreply.github.com> Subject: Re: [AzureAD/azure-activedirectory-library-for-dotnet] Brokered authentication in iOS 13 not working (#1703) @mfeatherSTAR<https://github.com/mfeatherSTAR> : unfortunately the logs doesn't really say anything else, thus if updating to 13.5 doesn't solve the issue we would need a repro to be able to dig further. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#1703 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKE55TBJGJR7ILU3QQ4S5YTRTXOR5ANCNFSM4MZYKXAA>. Please visit our website for Coronavirus updates. Please consider the environment before printing this email. This email and any attachment are intended only for the use of the individual or entity to which it is directed and may contain information which is confidential. Access, copying or re-use of information in or attached to this email by anyone else other than the intended recipient is strictly prohibited. If you have received this communication and you are not the intended recipient or the employee or agent responsible for delivering this email to the intended recipient, please inform IRIS on telephone number 0344 815 5500 and then delete this email and any attachments from your system. IRIS makes no representation or warranty as to the absence of viruses in this email or any attachments and we may monitor emails sent to and from our server. Any views or opinions presented in this email or attachment are solely those of the author and do not necessarily represent those of IRIS Software Group Limited, its parent, associates, subsidiaries or affiliates, unless otherwise expressly indicated. IRIS Software Group Limited is a Company registered in England and Wales under number 6295385 at Heathrow Approach 470 London Road Slough SL3 8QY

[bgavrilMS]

With regards to I’d like the official answer on whether this is possible: InTune integration with Conditional Access Policies, thereby requiring Brokered Authentication…..using latest ADAL library ? - I can confirm that you can use MSAL. Where are these docs please, I will try to get them changed.

We do however have quite a few folks who have integrated with ADAL as well and its working for them, hence the thought that a configuration is wrong - ussually the bundle id or the keychain setting.

[mfeatherSTAR]

Thanks for your reply. To confirm, my statement was a question not an extract from any docs. Sounds like you have folks that have integrated with ADAL and I need to do the same. MSAL (although working for me) is not a feasible option right now so I’d really like assistance getting this to work through ADAL. Let me know what further info you require and how I can progress this urgently ? My keychain settings for ADAL are exactly the same as I have for the working MSAL version. From: Bogdan Gavril <notifications@github.com> Sent: Thursday, June 4, 2020 1:24 AM To: AzureAD/azure-activedirectory-library-for-dotnet <azure-activedirectory-library-for-dotnet@noreply.github.com> Cc: Mark Feather <Mark.Feather@iris.co.uk>; Mention <mention@noreply.github.com> Subject: Re: [AzureAD/azure-activedirectory-library-for-dotnet] Brokered authentication in iOS 13 not working (#1703) With regards to I’d like the official answer on whether this is possible: InTune integration with Conditional Access Policies, thereby requiring Brokered Authentication…..using latest ADAL library ? - I can confirm that you can use MSAL. Where are these docs please, I will try to get them changed. We do however have quite a few folks who have integrated with ADAL as well and its working for them, hence the thought that a configuration is wrong - ussually the bundle id or the keychain setting.

[bgavrilMS]

@mfeatherSTAR - I sent you a package for you to try out with via email, please let me know if you received it.

[mfeatherSTAR]

Thanks Bogdan. Nothing received yet ? From: Bogdan Gavril <notifications@github.com> Sent: Tuesday, June 16, 2020 7:53 AM To: AzureAD/azure-activedirectory-library-for-dotnet <azure-activedirectory-library-for-dotnet@noreply.github.com> Cc: Mark Feather <Mark.Feather@iris.co.uk>; Mention <mention@noreply.github.com> Subject: Re: [AzureAD/azure-activedirectory-library-for-dotnet] Brokered authentication in iOS 13 not working (#1703) @mfeatherSTAR<https://github.com/mfeatherSTAR> - I sent you a package for you to try out with via email, please let me know if you received it. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#1703 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKE55TB5JJ4EQOBELWB5IMDRW6BLFANCNFSM4MZYKXAA>. Please visit our website for Coronavirus updates. Please consider the environment before printing this email. This email and any attachment are intended only for the use of the individual or entity to which it is directed and may contain information which is confidential. Access, copying or re-use of information in or attached to this email by anyone else other than the intended recipient is strictly prohibited. If you have received this communication and you are not the intended recipient or the employee or agent responsible for delivering this email to the intended recipient, please inform IRIS on telephone number 0344 815 5500 and then delete this email and any attachments from your system. IRIS makes no representation or warranty as to the absence of viruses in this email or any attachments and we may monitor emails sent to and from our server. Any views or opinions presented in this email or attachment are solely those of the author and do not necessarily represent those of IRIS Software Group Limited, its parent, associates, subsidiaries or affiliates, unless otherwise expressly indicated. IRIS Software Group Limited is a Company registered in England and Wales under number 6295385 at Heathrow Approach 470 London Road Slough SL3 8QY

[bgavrilMS]

@mfeatherSTAR - apologies for getting our comm channels mixed up. Could you send me an email at bogavril @t microsoft com and I'll follow up with the package? GitHub does not allow me to upload nuget packages.

[mfeatherSTAR]

Thanks. Package received. Still not working. I've added output from my Pii enabled ADAL logs to the file share I was provided via Microsoft support.

[henrik-me]

@bgavrilMS @trwalke to follow up on the logs.

Our documentation to get brokered authentication to work is here:
https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Brokered-Auth-on-iOS-13
https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS#brokered-authentication-for-ios

We highly recommend that you use MSAL.

[bgavrilMS]

I did follow up on the logs, and I wasn't able to find any problems ADAL side. I read the authenticator logs and there may be a problem there, but I don't have expertise in that. We typically need an incident (iCM) to transfer tickets from one team to another, since all engineers are very busy during these times and they need to prioritize.

Given that we prioritize MSAL issues over ADAL issues generally, and that using MSAL works, we highly recommend you moving to MSAL.

[mfeatherSTAR]

In case it helps anyone else this enabled me to get past the "Something Went Wrong" message:

Make sure that your Redirect URI and application's bundle id is all in lower case.

Thank you @bgavrilMS , @henrik-me

[henrik-me]

@mfeatherSTAR, glad that you got this working, and thanks for updating the issue with your finding.

[bgavrilMS]

Yeah, that's a wierd bug which we fixed in MSAL.

redirect uri is based on bundle id. But URIs in .net are lowercased, while the Authenticator expects case sensitivity to be preserved.

the difficulty is that the Authenticator logs do not make it clear what goes wrong, so this problem is difficult to trace.