Using ADAL to authenticate from Android devices fails if additional certificate downloads are required

Applies to: Azure Active Directory

Symptoms


When you try to authenticate by using the Azure Active Directory Authentication Library (ADAL) for Android, Federation sign-in may fail. Specifically, the application triggers an AuthenticationException error when it tries to display the login page. In Google Chrome, the STS login page might be called out as unsafe. This issue occurs only on Android devices, for any application that uses ADAL for Android to connect to a Federation server. 

To determine whether you are experiencing this this issue, run the following test:
  1. Obtain your Security Token Service (STS) server's fully qualified domain name (FQDN). To do this, follow these steps:
    1. Go to https://login.microsoftonline.com on a non-Android device.
    2. Enter your work or school account.
    3. When you're redirected to your federated STS login page, note the URL address in the browser. It will resemble the following:

      https://sts.contoso.com
      The FQDN is sts.contoso.com.
  2. Go to the following URL, replacing <STS_SERVER_FQDN_HERE> with your STS FQDN:
     
    https://www.ssllabs.com/ssltest/analyze.html?d=<STS_SERVER_FQDN_HERE>&hideResults=on&latest

    For example:
     
    https://www.ssllabs.com/ssltest/analyze.html?d=sts.contoso.com&hideResults=on&latest
  3. See whether any of the following messages are displayed:
    • Extra download
    • Sent by server
    • In trust store
       
    If any of the SSL certificates displays the “Extra download” message, you are experiencing the issue that's described earlier in this section, per the following screen shot:


    Here's a screen shot showing a certificate with the “Sent by server” message, illustrating successful authentication on an Android device:
     


Cause


Android does not support downloading additional certificates from the authorityInformationAccess field of the certificate. This is true across all Android versions and devices, and for the Chrome browser. Any server authentication certificate that's marked for extra download based on the authorityInformationAccess field will trigger this error if the entire certificate chain is not passed from Active Directory Federation Services (AD FS).

Resolution


To resolve this issue, configure your STS and Web Application Proxy (WAP) servers to send the necessary intermediate certificates together with the SSL certificate. To do this, follow these steps:
  1. When you export the SSL certificate from a computer to the computer’s personal store of the AD FS and WAP server (or servers), make sure that you export the Private key and that you select Personal Information Exchange - PKCS #12. Also make sure that the Include all certificates in the certificate path if possible and Export all extended properties check boxes are selected.
  2. Run certlm.msc on the Windows servers, and then import the *.PFX file into the computer’s personal certificate store. When you do this, the server will pass the entire certificate chain when a client application uses ADAL for authentication.

Note The certificate store of Network Load Balancers should also be updated to include the entire certificate chain.