[Bug] Login problems points to no internet connection

[marionoack]

Library version used

4.60.3

.NET version

4.8 x64

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

Sometimes I get in my application during requesting token (interactive with broker) an error like:

Error Code: 3400007680
Error Message: NoNetwork
WAM Error Message: An unknown Internet error has occurred.
Internal Error Code: 557973641
Possible cause: no Internet connection

The reason looks clear, but I see no internet connection issues. So I look at msal.log (level information) and I can located a difference to other application logins:

2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z - 4a468961-51dc-4d0b-a005-fd99e8a174e5] === Token Acquisition (InteractiveRequest) started:
Authority: https://login.microsoftonline.com/b616fb64-df7b-4844-80ff-xxxx/
Scope:
ClientId: 33b26c15-e517-4587-97c2-xxxx

2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z - 4a468961-51dc-4d0b-a005-fd99e8a174e5] [Instance Discovery] Instance discovery is enabled and will be performed
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z - 4a468961-51dc-4d0b-a005-fd99e8a174e5] [Region discovery] Not using a regional authority.
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z - 4a468961-51dc-4d0b-a005-fd99e8a174e5] Fetching instance discovery from the network from host login.microsoftonline.com. Endpoint https://login.microsoftonline.com/common/discovery/instance.
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z - 4a468961-51dc-4d0b-a005-fd99e8a174e5] Authority validation enabled? True.
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z - 4a468961-51dc-4d0b-a005-fd99e8a174e5] Authority validation - is known env? True.
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z - 4a468961-51dc-4d0b-a005-fd99e8a174e5] Broker is configured. Starting broker flow without knowing the broker installation app link.
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [Runtime] WAM supported OS.
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z - 4a468961-51dc-4d0b-a005-fd99e8a174e5] Can invoke broker. Will attempt to acquire token with broker.
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [RuntimeBroker] Calling SignInInteractivelyAsync this will show the account picker.
2024-04-19 14:52:30 - Warning - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0001] WARNING SetAuthorityString:98 Initializing authority from string 'https://login.microsoftonline.com/b616fb64-df7b-4844-80ff-xxxx/' without authority type, defaulting to MsSts
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0002] INFO SetCorrelationId:273 Set correlation ID: 4a468961-51dc-4d0b-a005-fd99e8a174e5
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0002] INFO ExecuteInteractiveRequest:1103 The original authority is 'https://login.microsoftonline.com/b616fb64-df7b-4844-80ff-xxxx'
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0002] INFO ExecuteInteractiveRequest:1114 The normalized realm is ''
2024-04-19 14:52:30 - Warning - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0002] WARNING ProcessRequestedScopes:536 Disallowed scope detected. openid will be ignored as MSAL adds this to requests automatically.
2024-04-19 14:52:30 - Warning - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0002] WARNING ProcessRequestedScopes:536 Disallowed scope detected. profile will be ignored as MSAL adds this to requests automatically.
2024-04-19 14:52:30 - Warning - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0002] WARNING ProcessRequestedScopes:536 Disallowed scope detected. offline_access will be ignored as MSAL adds this to requests automatically.
2024-04-19 14:52:30 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0002] INFO ModifyAndValidateAuthParameters:215 Authority Realm: b616fb64-df7b-4844-80ff-xxxx
2024-04-19 14:52:30 - Warning - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:30Z] [MSAL:0003] WARNING ReadAccountById:227 Account id is empty - account not found
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:393 Printing Telemetry for Correlation ID: 4a468961-51dc-4d0b-a005-fd99e8a174e5
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: start_time, Value: 2024-04-19T12:52:30.000Z
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: api_name, Value: SignInInteractively
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: was_request_throttled, Value: false
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: authority_type, Value: AAD
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: access_token_expiry_time, Value: 2024-04-19T14:06:48.000Z
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: msal_version, Value: 1.1.0+local
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: client_id, Value: 33b26c15-e517-4587-97c2-xxxx
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: correlation_id, Value: 4a468961-51dc-4d0b-a005-fd99e8a174e5
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: broker_app_used, Value: true
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: stop_time, Value: 2024-04-19T12:52:43.000Z
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: msalruntime_version, Value: 0.16.0
2024-04-19 14:52:43 - Info - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-04-19 12:52:43Z] [MSAL:0003] INFO LogTelemetryData:401 Key: original_authority, Value: https://login.microsoftonline.com/b616fb64-df7b-4844-80ff-xxxx

The difference to successful logins are additional logs like:

Disallowed scope detected. openid will be ignored as MSAL adds this to requests automatically.

I have no idea. I don't request any scope.

Relevant code snippets

No response

Expected behavior

Successful login and fullfilment of token request.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Try the same a second time will works fine in most cases.

[trwalke]

If MSAL is not updated and this started happening suddenly, it usually points to an Entra Id service endpoint issue.
@ashok672 have you seen this in WAM before?

[bgavrilMS]

Thanks @trwalke . If in doubt, mark it as bug please...

[localden]

@marionoack - can you please verify whether this is still happening?

[marionoack]

@localden Yes, last friday on my computer and another colleague on other location (different provider, during Teams call => connection available):

2024-05-17 12:12:17 - Error - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-05-17 10:12:17Z] [RuntimeBroker] WAM_network_error_3400007680 WAM Error
Error Code: 3400007680
Error Message: NoNetwork
WAM Error Message: An unknown Internet error has occurred.
Internal Error Code: 557973641
Possible cause: no Internet connection
2024-05-17 12:12:17 - Error - True MSAL 4.60.3.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-05-17 10:12:17Z - 6855d0a6-ae4b-44a9-a027-5d314c5a51d6] MSAL.Desktop.4.60.3.0.MsalServiceException:
ErrorCode: 3400007680
Microsoft.Identity.Client.MsalServiceException: WAM Error
Error Code: 3400007680
Error Message: NoNetwork
WAM Error Message: An unknown Internet error has occurred.
Internal Error Code: 557973641
Possible cause: no Internet connection
bei Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.WamAdapters.HandleResponse(AuthResult authResult, AuthenticationRequestParameters authenticationRequestParameters, ILoggerAdapter logger, String errorMessage)
bei Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.d__13.MoveNext()

[DharshanBJ]

@marionoack @localden Any WAM error from following Facility AA3, AA7, AA8 (ex: 0xCAA70004, 0xCAA70007, 0xCAA3012C, 0xCAA80000) corresponds to network environment configuration issue. Error Code: 3400007680 corresponds to 0xCAA80000.

WAM team recommends these tips to customers for troubleshooting such network related issues:

1. Open Edge (not IE, HTTP stack for IE is different) and navigate https://login.microsoftonline.com/ . Navigation, should land on https://www.office.com/ or company default landing page. If it fails, it is most likely a general network issue, incorrect proxy setting etc.

2. Processes that are engaged in token acquisition are:

C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe

C:\Windows\System32\backgroundTaskHost.exe

Ask the customer if they have a firewall or antivirus that blocks WAM or the primary destination.

Primary destination: https://login.microsoftonline.com/ This DNS name covers a lot of IP addresses (lots of services as well), sometimes some of these addresses are blocked in the customer environment for no reason, this causes intermittent problems in some device, but others work fine.

3. Open directory %LOCALAPPDATA%\Packages\microsoft.aad.brokerplugin_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\

Open every file with a binary editor for read. If it is filled with zeroes (00 00 00…), then it is token binding issue. You need to delete those files.

4. By inspecting Fiddler trace, it is possible to determine the outbound Proxy server name in the customer environment, that the calls from Microsoft.AAD.BrokerPlugin.exe and backgroundTaskHost.exe are flowing through.

5. ZScalar proxy - Loopback connections are by default not allowed for UWP apps and require configuration of exemptions

Troubleshooting doc - https://supportability.visualstudio.com/AzureAD/_wiki/wikis/AzureAD/614537/Troubleshooting-WAM-related-SSO-issues?anchor=investigation-of-network-issues