|
| 1 | +--- |
| 2 | +title: MsalClientException - Failed to get user name |
| 3 | +description: PDiscusses a "Failed to get user name" error when an application uses Integrated Windows Authentication (IWA) with Microsoft Authentication Library (MSAL) and provide solutions. |
| 4 | +ms.service: entra-id |
| 5 | +ms.date: 06/23/2025 |
| 6 | +ms.reviewer: willfid, v-weizhu |
| 7 | +ms.custom: sap:Developing or Registering apps with Microsoft identity platform |
| 8 | +--- |
| 9 | + |
| 10 | +# Microsoft.Identity.Client.MsalClientException: Failed to get user name |
| 11 | + |
| 12 | +This article provides a solution to a "Failed to get user name" error that occurs when an application uses Integrated Windows Authentication (IWA) with Microsoft Authentication Library (MSAL). |
| 13 | + |
| 14 | +## Symptoms |
| 15 | + |
| 16 | +When your application uses IWA with MSAL, if calling the `AcquireTokenByIntegratedWindowsAuth` method as follows: |
| 17 | + |
| 18 | +```csharp |
| 19 | +result = await app.AcquireTokenByIntegratedWindowsAuth(scopes) |
| 20 | +``` |
| 21 | + |
| 22 | +You encounter one of the following errors: |
| 23 | + |
| 24 | +> Microsoft.Identity.Client.MsalClientException: Failed to get user name —> |
| 25 | +> System.ComponentModel.Win32Exception: No mapping between account names and security IDs was done |
| 26 | + |
| 27 | +Or |
| 28 | + |
| 29 | +> Microsoft.Identity.Client.MsalClientException: Failed to get user name —> |
| 30 | +> System.ComponentModel.Win32Exception: Access Denied |
| 31 | + |
| 32 | +> [!NOTE] |
| 33 | +> The error message originates from Windows. |
| 34 | + |
| 35 | +## Cause |
| 36 | + |
| 37 | +The error occurs because MSAL calls the [GetUserNameEx](/windows/win32/api/secext/nf-secext-getusernameexa) function from `secur32.dll`. For more information, see [MSAL WindowsNativeMethods.cs - GetUserNameEx](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/01ecd12464007fc1988b6a127aa0b1b980bca1ed/src/client/Microsoft.Identity.Client/Platforms/Features/DesktopOS/WindowsNativeMethods.cs#L66). |
| 38 | +
|
| 39 | +## Solution |
| 40 | + |
| 41 | +> [!NOTE] |
| 42 | +> Before you begin, ensure the following minimum requirements are met: |
| 43 | +> |
| 44 | +> - You run the application as a local Active Directory user and not a local computer user account. |
| 45 | +> - The device where the application run is joined to the domain. |
| 46 | + |
| 47 | +To resolve this issue, pass the username to `AcquireTokenByIntegratedWindowsAuth`. |
| 48 | + |
| 49 | +If the username is known beforehand, you can manually pass it to MSAL, as follows: |
| 50 | + |
| 51 | +`result = await app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername("<service-account>@contoso.com")` |
| 52 | + |
| 53 | +If the username isn't known beforehand, dynamically retrieve the username and then pass it to `AcquireTokenByIntegratedWindowsAuth` by using one of the following methods: |
| 54 | + |
| 55 | +- Use `System.Security.Principal.WindowsIdentity.GetCurrent()` |
| 56 | + |
| 57 | + Here's the code example: |
| 58 | + |
| 59 | + ```csharp |
| 60 | + string username = System.Security.Principal.WindowsIdentity.GetCurrent().Name; |
| 61 | + result = await app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername(username) |
| 62 | + ``` |
| 63 | + |
| 64 | + > [!NOTE] |
| 65 | + > If the returned username doesn't include a domain, this method fails and returns different errors. For proper integration with Microsoft Entra ID, you must pass the username in the format of a user principal name. |
| 66 | + |
| 67 | +- Use `PublicClientApplication.OperatingSystemAccount.Username` |
| 68 | + |
| 69 | + Here's the code example: |
| 70 | + |
| 71 | + ```csharp |
| 72 | + string username = PublicClientApplication.OperatingSystemAccount.Username; |
| 73 | + result = await app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername(username) |
| 74 | + ``` |
| 75 | + |
| 76 | + > [!NOTE] |
| 77 | + > This method tries to access the Windows Account Broker to get the user signed into the device. It doesn't work if the application runs on Internet Information Services (IIS) or Windows Servers. |
| 78 | + |
| 79 | +## Reference |
| 80 | + |
| 81 | +[Using MSAL.NET with Integrated Windows Authentication (IWA)](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/integrated-windows-authentication) |
| 82 | + |
| 83 | +[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)] |
0 commit comments