M-Files Desktop Client with Azure AD Login

Hi Darlow, is it possible to share the JSON that you used?
Off course obfuscating the clientid's and secrets.

Hi there

Of course, see below:

Copy it as a picture now since my code is reported as Spam...

I didnt use the integrated MF AD functionalty, but created my own configuration with a own created Azure App.

It is really strange for me since the authentication and adding a vault in the client works well, but then when trying to log in the respective Microsoft window does not appear.

Kind regards,

Dario

You have "EnableLogging": "true" in the configs, have you checked the Windows logs to see if there's any additional information there when you try to log in? You should be able to see how far in the OAuth process does it get and if there's some error. Check the logs on both the client computer and the server.

Hi Joonas

When I add the vault, there is no error, just an information.

When I want to log in into the newly created vault, there is no error/info at all in the event log. I checked it using the MF client on the server (connecting through https). Somehow, M-Files does not even trigger the authentication I think, which is also why the MF login prompt appears and not the Microsoft one.

Hi Joonas

When I add the vault, there is no error, just an information.

When I want to log in into the newly created vault, there is no error/info at all in the event log. I checked it using the MF client on the server (connecting through https). Somehow, M-Files does not even trigger the authentication I think, which is also why the MF login prompt appears and not the Microsoft one.

And you are definitely connecting with the same vault address defined in the OAuth scope, and not for instance some internal DNS name or an IP address?

yes, I am connecting to mf.digitalland.ch. When I add a vault, I configure the settings (here everyhting works fine). When logging in, it uses the same settings as defined before...

In the Windows event logs, you should see events about the login attempt.
Those are not reported as errors, which can make it quite cumbersome to understand what is happening.

This is the event log when adding the vault (everything fine):

OAuth

Authentication result:

aud = bcf9e8e0-f6b2-45a3-9ea5-6fa93c0xxxx

iss = sts.windows.net/.../

iat = 1675401387

nbf = 1675401387

exp = 1675406915

acr = 1

aio = AVQAq/8TAAAArCy56hs/eoDE+JUc/+yawESImoyE+0u130zWwLj0+lUd/5unTNiONu/lWZSiy3jZ8UHGnTfnd53madg/m6LXTVRtD3alQNKi5XdI4MbIeyQ=

amr = rsa

amr_2 = mfa

appid = bcf9e8e0-f6b2-45a3-9ea5-xxxxxxxxxxxxx

appidacr = 1

family_name = Wieland

given_name = Dario

ipaddr = 20.203.219.202

name = Dario Surname

oid = 4a2fd8d7-758b-4b67-8a1f-30208a475056

rh = 0.ATEAUCKF8V5T9UGUpObgUY4LMeDo-byy9qNFnqVvqTwFHZYxABI.

scp = User.Read

sub = MRW67u6YYAH85WVMAcJB27vFhSHcKCLA81oNV_X6MsE

tid = f1852250-535e-41f5-94a4-e6e0518e0b31

unique_name = dario.surname@mail.com

upn = digitalland.ch\dario.wieland

uti = U-TYqd4z-EGH9gwi8Gs6AA

ver = 1.0

M-Files::LoginHint = dario.surname@mail.com

BUT, when I try to log in, this prompt appears, and there is NO event log at all.

So it can not be a log in problem I guess, but rather that it is not triggered at all?

I had this problem when using Https via RPC.

I managed to make it work when I switched to GRPC.

I found luckily the answer....you need to set this registry key on the server, then it works:

Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

Value name: EnableHttp2Tls

Value type: DWORD (32 bit)

Value data: 00000000

...according to this article:

https://m-files.force.com/s/article/M-Files-and-Windows-10-1709-Fall-Creators-Update-Access-is-denied-error

....unfortunately nowhere described in any manual.

@M-Files

Could you mention that somewhere in the manuals?

Glad you got it working! The issue mentioned in that support article is not specifically related to Azure AD authentication so that's why it's not mentioned in the AAD guides. I think you would have faced issues accessing the vault without Azure AD as well.