问题
I am trying to write an WPF client which uses ADAL to authenticate against ADFS on a Windows Server 2012 R2. I have successfully implemented this using "Forms Authentication" where the user is prompted for the domain username and password. However, I want to take advantage of SSO and use the currently logged on domain user to authenticate against the ADFS.
Unfortunately, I'm only getting an error message saying:
This method overload is not supported by '< ADFS servername>'
I have done a lot of searching, but find some of the information contradictive:
This SO post about a Windows Store App (any differences to WPF?) where Vittorio Bertocci links to a blog on how to achieve it: ADAL for Windows Store SSO
This SO post where Vittorio Bertocci claims that silent authentication is only possible with Windows Server 2016: Authenticate with ADFS inside Console App silently
Is it a fact that Windows Server 2016 is required to perform SSO in conjunction with ADAL? Is there any other way to do it?
EDIT:
After upgrading to the latest alpha of ADAL (3.9.302111717-alpha) I'm getting the more detailed error message
MSIS9611: The authorization server does not support the requested 'grant_type'. The authorization server only supports 'authorization_code' or 'refresh_token' as the grant type.
The code I'm executing is this:
string authority = "https://myServer.com/adfs";
string resourceURI = "http://myApp/";
string clientId = "XXXX-XXX-XXXX-XXXX-XXXXX";
string clientReturnUri = "http://anarbitraryreturnuri/";
var ac = new AuthenticationContext(authority, false);
var token = await ac.AcquireTokenAsync(resourceURI, clientId,new UserCredential());
I was able to implement a working solution using WS-Trust, so I am confident that the machine I'm running on has the privacy settings to enable the app to find the currently logged on user.
The Oauth2 endpoint looks as follows:
Also, my global authentication policy is set up like this:
回答1:
Windows Server 2016 is only required for the password grant - in which you provide raw username and password. Your question seems to suggest you want to sign on with the currently signed in user, which would leverage Kerberos instead. Kerberos based authentication should work with ADFS "3" and ADFS 2016 indifferently - as long as your client is connected to the domain network, the local machine does not have privacy settings that prevent your app from finding out the domain user currently logged in and the correct endpoints are enabled on the ADFS instance.
来源:https://stackoverflow.com/questions/35412805/sso-from-adal-in-wpf-client-to-adfs-3-0-on-windows-server-2012-r2