将通用 Windows 平台与 MSAL.NET 配合使用时的注意事项Considerations for using Universal Windows Platform with MSAL.NET

将通用 Windows 平台 (UWP) 与 MSAL.NET 配合使用的应用程序的开发人员应当考虑本文中所述的概念。Developers of applications that use Universal Windows Platform (UWP) with MSAL.NET should consider the concepts this article presents.

UseCorporateNetwork 属性The UseCorporateNetwork property

在 Windows 运行时 (WinRT) 平台上,PublicClientApplication 具有布尔属性 UseCorporateNetworkOn the Windows Runtime (WinRT) platform, PublicClientApplication has the Boolean property UseCorporateNetwork. 使用此属性,Windows 8.1 应用程序和 UWP 应用程序在用户登录到具有联合 Azure Active Directory (Azure AD) 租户的帐户时可以利用集成 Windows 身份验证 (IWA)。This property enables Windows 8.1 applications and UWP applications to benefit from Integrated Windows authentication (IWA) if the user is signed in to an account that has a federated Azure Active Directory (Azure AD) tenant. 已登录到操作系统的用户还可以使用单一登录 (SSO)。Users who are signed in to the operating system can also use single sign-on (SSO). 设置 UseCorporateNetwork 属性后,MSAL.NET 将使用 Web 身份验证代理 (WAB)。When you set the UseCorporateNetwork property, MSAL.NET uses a web authentication broker (WAB).

重要

UseCorporateNetwork 属性设置为 true 时,将假定应用程序开发人员已在应用程序中启用了 IWA。Setting the UseCorporateNetwork property to true assumes that the application developer has enabled IWA in the application. 若要启用 IWA,请执行以下操作:To enable IWA:

  • 在 UWP 应用程序的 Package.appxmanifest 中,在“功能” 选项卡上,启用以下功能:In your UWP application's Package.appxmanifest, on the Capabilities tab, enable the following capabilities:
    • 企业身份验证Enterprise Authentication
    • 专用网络(客户端和服务器)Private Networks (Client & Server)
    • 共享用户证书Shared User Certificate

默认情况下不会启用 IWA,因为 Microsoft Store 在接受请求企业身份验证或共享用户证书功能的应用程序之前,需要进行高级别验证。IWA isn't enabled by default because Microsoft Store requires a high level of verification before it accepts applications that request the capabilities of enterprise authentication or shared user certificates. 并非所有开发人员都希望执行此级别的验证。Not all developers want to do this level of verification.

在 UWP 平台上,基础 WAB 实现在启用了条件访问的企业方案中无法正常工作。On the UWP platform, the underlying WAB implementation doesn't work correctly in enterprise scenarios where conditional access is enabled. 用户在尝试使用 Windows Hello 登录时,会看到此问题的症状。Users see symptoms of this problem when they try to sign in by using Windows Hello. 当要求用户选择证书时:When the user is asked to choose a certificate:

  • 找不到 PIN 的证书。The certificate for the PIN isn't found.
  • 用户选择证书后,不提示他们输入 PIN。After the user chooses a certificate, they aren't prompted for the PIN.

你可以尝试使用替代方法来避免此问题,例如,用户名密码和电话身份验证,但体验不是很好。You can try to avoid this issue by using an alternative method such as username-password and phone authentication, but the experience isn't good.

故障排除Troubleshooting

有些客户在特定企业环境中报告了以下登录错误,他们知道他们有 Internet 连接并且该连接在公共网络中工作良好。Some customers have reported the following sign-in error in specific enterprise environments in which they know that they have an internet connection and that the connection works with a public network.

We can't connect to the service you need right now. Check your network connection or try this again later.

可以通过确保 WAB(Windows 基础组件)允许专用网络来避免此问题。You can avoid this issue by making sure that WAB (the underlying Windows component) allows a private network. 为此,可以设置一个注册表项:You can do that by setting a registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\authhost.exe\EnablePrivateNetwork = 00000001

有关详细信息,请参阅 Web 身份验证代理 - FiddlerFor more information, see Web authentication broker - Fiddler.

后续步骤Next steps

以下示例提供了详细信息。The following samples provide more information.

示例Sample 平台Platform 说明Description
active-directory-dotnet-native-uwp-v2active-directory-dotnet-native-uwp-v2 UWPUWP 一个使用 MSAL.NET 的 UWP 客户端应用程序。A UWP client application that uses MSAL.NET. 它为使用 Azure AD 2.0 终结点进行身份验证的用户访问 Microsoft Graph。It accesses Microsoft Graph for a user who authenticates by using an Azure AD 2.0 endpoint.
拓扑
active-directory-xamarin-native-v2active-directory-xamarin-native-v2 Xamarin iOS、Android、UWPXamarin iOS, Android, UWP 一个简单的 Xamarin Forms 应用,展示了如何通过 Azure AD 2.0 终结点使用 MSAL 进行 Azure AD 身份验证。A simple Xamarin Forms app that shows how to use MSAL to authenticate Azure AD via the Azure AD 2.0 endpoint. 它还展示了如何访问 Microsoft Graph 并显示了生成的令牌。It also shows how to access Microsoft Graph and shows the resulting token.
拓扑