[Bug] unknown_broker_error using WAM running a windows service under a AD account.

[Roy-Vi]

Library version used

4.70.2.0

.NET version

.NET Version: 8.0.12

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

On our on premise Windows servers we are running services with AD account to access Azure resource.
The service uses a Public Client Application and Windows Integrated Authentication (Wia) to get access tokens. This worked fine but the company decided to no longer support the ADFS connection that was set up between our on premise AD and our Azure AD tenant and instead we should be using WAM.
So we tried this by following this example: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-desktop-acquire-token-wam. Running the code on my laptop with the logged in user account works but on the windows server it throws this exception:

Exception Info: MSAL.NetCore.4.70.2.0.MsalServiceException:
ErrorCode: unknown_broker_error
Microsoft.Identity.Client.MsalServiceException: Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: (pii)
Tag: 0x21420087 (error code -2147023584) (internal error code 557973639)
at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<b__1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func1 codeBlock) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenSilentParameters silentParameters, CancellationToken cancellationToken) at Company.Authentication.Token.WamAuthTokenCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Company.Authentication.Token.WamAuthTokenCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.SetResultOnTcsFromCredentialAsync(TokenRequestContext context, TaskCompletionSource1 targetTcs, Boolean async, CancellationToken cancellationToken)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](Task1 task) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.TokenRequestState.GetCurrentHeaderValue(Boolean async, Boolean checkForCompletion, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask1 task)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequest(HttpMessage message, TokenRequestContext context)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask1 task) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallenge(HttpMessage message) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessAsyncInternal(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task) at Azure.Core.Pipeline.RedirectPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task) at Azure.Core.Pipeline.RetryPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.HttpPipeline.Send(HttpMessage message, CancellationToken cancellationToken)
at Azure.Core.Pipeline.HttpPipeline.SendRequest(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.GetPage[T](Uri firstPageUri, String nextLink, Func1 itemFactory, String operationName, CancellationToken cancellationToken) at Azure.Security.KeyVault.Secrets.SecretClient.<>c__DisplayClass15_0.<GetPropertiesOfSecrets>b__0(String nextLink) at Azure.Core.PageResponseEnumerator.<>c__DisplayClass0_01.b__0(String continuationToken, Nullable1 pageSizeHint) at Azure.Core.PageResponseEnumerator.FuncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+MoveNext() at Azure.Pageable1.GetEnumerator()+MoveNext()
at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load()

Relevant code snippets

Expected behavior

Wam to support the same use case as Wia

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Bug] Broker mode throwing Microsoft.Identity.Client.MsalServiceException #5004
• [Bug] Interactive Auth fails with unknown_broker_error #4122

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

The failure was related to the OS having a failure in ShellAppRuntime.exe, and was unrelated to MSAL.NET.

Reference:

• [Bug] Interactive Auth fails with unknown_broker_error #4122 (comment)

Solution 2:

Check if the program is running under the logged-in user. It could be that the program is running before the user is successfully logged into their Windows system.

Reference:

• [Bug] Broker mode throwing Microsoft.Identity.Client.MsalServiceException #5004 (comment)
• [Bug] Broker mode throwing Microsoft.Identity.Client.MsalServiceException #5004 (comment)

Powered by issue-sentinel

[Roy-Vi]

The error message when PII logging is enabled:

CoreCLR Version: 8.0.1625.21506
.NET Version: 8.0.16
Description: The process was terminated due to an unhandled exception.
Exception Info: MSAL.NetCore.4.70.2.0.MsalServiceException:
ErrorCode: unknown_broker_error
Microsoft.Identity.Client.MsalServiceException: Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: A specified logon session does not exist. It may already have been terminated.
Tag: 0x21420087 (error code -2147023584) (internal error code 557973639)

[ashok672]

If the service runs as another account different from current logged in user, this error is expected. WAM broker does not support runas scenario.