Device Auth incorrectly attempted on .NET classic

[bgavrilMS]

ADAL 5.2.9

Affected App experience:

Auth fails with an exception related to CNG certs:

`ADAL: Warning, 2021-03-30T06:08:48.1803263Z: 08e9ce4f-2881-4431-8946-85832f2d2cbb - AdalLoggerBase.cs: A service exception occurred
ADAL: Information, 2021-03-30T06:08:48.2243221Z: 08e9ce4f-2881-4431-8946-85832f2d2cbb - AdalLoggerBase.cs: IsDeviceCode? True
ADAL: Error, 2021-03-30T06:08:48.5793169Z: 08e9ce4f-2881-4431-8946-85832f2d2cbb - AdalLoggerBase.cs: Exception type: System.Security.Cryptography.CryptographicException

at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Native.X509Native.AcquireCngPrivateKey(SafeCertContextHandle certificateContext)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.SigningHelper.GetCngPrivateKey(X509Certificate2 certificate)`

Solution

Move to MSAL, where we have fixed this! https://github.com/AzureAD/microsoft-authentication-library-for-dotnet

Workaround:

Add an app manifest and declare that your app can run on Windows 10 and other OSes. See this SO issue for details.

You'll know it works if Environment.OSVersion is Microsoft Windows NT 10.0.19042.0 and not Microsoft Windows NT 6.2.9200.0

string s = Environment.OSVersion.ToString();

Internal mechanics:

On win10...
ADAL always sends "I can do PKCE" (bad design, but in there since forever)
ADAL also incorrectly sends x-client-os: Microsoft Windows NT 6.2.9200.0
ESTS decides that it can ask ADAL for PKeyAuth challenge
exception occurs.