Question 105228 in Azure Question posted in
The official documentation to get you started can be found here.

Access Azure AD from excel add-in using IWA

I am trying to access endpoints hosted on azure app services from excel add-in solution. I am using integrated windows authentication to generate an access token. Everything was working fine and I could access anthing I need from azure using the add-in but suddenly today when I am testing the add-in again, I am getting this exception: Microsoft.Identity.Client.MsalClientException: There was an error parsing WS-Trust response from the endpoint. This may occur if there is an issue with your ADFS configuration.

After debugging I found the the exception is raised from this code

IPublicClientApplication app = PublicClientApplicationBuilder.Create(configuration.ClientID)
                               .WithAuthority(new Uri(configuration.Authority))
                               .Build();
AcquireTokenByIntegratedWindowsAuthParameterBuilder authenticationResult = app.AcquireTokenByIntegratedWindowsAuth(new string[] { configuration.Audience });
configuration.AccessToken = await authenticationResult.ExecuteAsync();

On the other hand when I try to use the same library that acquire the access token from a console app, everything is working fine.

so what may block the excel add-in itself from acquiring the token.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    For me the problem was related to the app service TLS version, it was configured to use TLS version 1.0 which is depricated. Changing the version to 1.2 solved the issue for me


  2. 0

    You can get this error when using AcquireTokenByIntegratedWindowsAuth method .

    1. In the case of a Federated user where security token is not authenticated or authorized or when the user entered the wrong credentials (password) or if the user does not even exist .
    2. If own account is used, make sure admin consents are granted and 2FA is not enabled.

    The error code "parsing_wstrust_response_failed" can also may be due to configuration issues in the ADFS environment.
    According to Integrated Windows Authentication · troubleshooting · GitHub

    Some issues are:

    1. In your case check ,if Proxy or configuration issues are preventing NTLM protocol which is the challenge brought by endpoint for the Windows authentication.
    • Workaround: Try upgrading the current .Net version or by using own HttpClient.
    1. Also check if the account is available to IWA or if IWA policy is stopping auto-IWA authentication

    • Also wrong Service Principal Name(SPN) being logged due to misconfiguration or Allowing Channel Binding Token or Internet Explorer configuration can be other reasons for the cause of this error.

    • You can change Channel binding setting using PowerShell cmdlet

      Set-ADFSProperties -ExtendedProtectionTokenCheck

    Also make sure to check /enable Integrated Windows Authentication in Internet Explorer properties by going to Internet Options -> Advanced -> Security.

    enter image description here

    References:

    1. Please check this AD FS Troubleshooting – Integrated Windows Authentication
    2. azure – MSAL error "parsing_wstrust_response_failed" AcquireTokenByIntegratedWindowsAuth – Stack Overflow
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search