Heads-up if you use ADAL.JS on a site added to the “Trusted Sites” zone

When working on a SharePoint Online solution that is using the ADAL.JS library for authentication, a customer reported strange problems. In our solution, our site sends the client to the authentication authority (Azure AD), which authenticates the client and forwards it to the reply URL which in turn returns the client to the original page in a logged in state.

The problems we saw were mainly that the clients tended to get stuck in an authentication loop, where the client seemed to correctly receive a token from the authority, but our ADAL-based solution did not see the authenticated user and thus sent the browser back to be authenticated, in a seemingly endless loop. The behavior was quite erratic though – sometimes the clients were actually able to log in, either directly or after several tries. Other times it eventually failed and stopped somewhere in the “loop”.

The oddest behavior was however that the browser tab (or whole browser if only one tab) could sometimes simply just close by itself!

I experienced this myself on IE11, but the customer reported that same happening in Chrome too. A clue was that it only happened on the customer’s computers when logged in through their VPN, and only against their own SharePoint Online tenant.

Eventually we cracked the problem. Turns out that the customer had put SharePoint Online (https://customer-tenant.sharepoint.com) in the Trusted Sites zone under Internet Options in Windows. But authentication with ADAL.JS relies on a hidden iFrame working against a different URL. Because the site and iFrame belonged to different security zones, they were no allowed to share cookies.

The solution was to simply put the authentication authority (https://*.microsoftonline.com) in the Trusted Sites zone as well.

This weakness and solution is actually stated in the ADAL.JS readme, but it is easy to miss or forget, and quite hard to figure out the cause if it happens. Hopefully this post will save someone from this agony.

PS: Need to view all trusted sites, but the list can not be scrolled due to being controlled by a group policy? Superuser has the answer!

This entry was posted in Development, Tips and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *