|
| 1 | +--- |
| 2 | +title: MsalClientException - Failed to Get User Name |
| 3 | +description: Resolves the Failed to get user name error when an application uses Integrated Windows Authentication (IWA) with Microsoft Authentication Library (MSAL). |
| 4 | +ms.service: entra-id |
| 5 | +ms.date: 07/01/2025 |
| 6 | +ms.reviewer: willfid, v-weizhu |
| 7 | +ms.custom: sap:Developing or Registering apps with Microsoft identity platform |
| 8 | +--- |
| 9 | + |
| 10 | +# Microsoft.Identity.Client.MsalClientException: Failed to get user name |
| 11 | + |
| 12 | +This article provides a solution to the "Failed to get user name" error that occurs when an application uses Integrated Windows Authentication (IWA) together with Microsoft Authentication Library (MSAL). |
| 13 | + |
| 14 | +## Symptoms |
| 15 | + |
| 16 | +When your application uses IWA together with MSAL, if calling the `AcquireTokenByIntegratedWindowsAuth` method as follows: |
| 17 | + |
| 18 | +```csharp |
| 19 | +result = await app.AcquireTokenByIntegratedWindowsAuth(scopes) |
| 20 | +``` |
| 21 | + |
| 22 | +You encounter one of the following errors: |
| 23 | + |
| 24 | +- > Microsoft.Identity.Client.MsalClientException: Failed to get user name —> |
| 25 | + > System.ComponentModel.Win32Exception: No mapping between account names and security IDs was done |
| 26 | + |
| 27 | +- > Microsoft.Identity.Client.MsalClientException: Failed to get user name —> |
| 28 | + > System.ComponentModel.Win32Exception: Access Denied |
| 29 | + |
| 30 | +## Cause |
| 31 | + |
| 32 | +The error originates from Windows. It occurs because MSAL calls the [GetUserNameEx](/windows/win32/api/secext/nf-secext-getusernameexa) function from `secur32.dll`. For more information, see [MSAL WindowsNativeMethods.cs - GetUserNameEx](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/01ecd12464007fc1988b6a127aa0b1b980bca1ed/src/client/Microsoft.Identity.Client/Platforms/Features/DesktopOS/WindowsNativeMethods.cs#L66). |
| 33 | +
|
| 34 | +## Solution |
| 35 | + |
| 36 | +> [!NOTE] |
| 37 | +> Before you begin, ensure the following minimum requirements are met: |
| 38 | +> |
| 39 | +> - Run the application as a local Active Directory user, not a local computer user account. |
| 40 | +> - The device running the application is joined to the domain. |
| 41 | + |
| 42 | +To resolve this issue, pass the username to `AcquireTokenByIntegratedWindowsAuth`. |
| 43 | + |
| 44 | +If the username is known beforehand, you can manually pass it to MSAL as follows: |
| 45 | + |
| 46 | +```csharp |
| 47 | +result = await app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername("<service-account>@contoso.com") |
| 48 | +``` |
| 49 | + |
| 50 | +If the username isn't known beforehand, dynamically retrieve the username and then pass it to `AcquireTokenByIntegratedWindowsAuth` by using one of the following methods: |
| 51 | + |
| 52 | +- Use `System.Security.Principal.WindowsIdentity.GetCurrent()` |
| 53 | + |
| 54 | + Here's the code example: |
| 55 | + |
| 56 | + ```csharp |
| 57 | + string username = System.Security.Principal.WindowsIdentity.GetCurrent().Name; |
| 58 | + result = await app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername(username) |
| 59 | + ``` |
| 60 | + |
| 61 | + > [!NOTE] |
| 62 | + > If the returned username doesn't include a domain, this method fails and returns different errors. For proper integration with Microsoft Entra ID, you must pass the username in the format of a user principal name. |
| 63 | + |
| 64 | +- Use `PublicClientApplication.OperatingSystemAccount.Username` |
| 65 | + |
| 66 | + Here's the code example: |
| 67 | + |
| 68 | + ```csharp |
| 69 | + string username = PublicClientApplication.OperatingSystemAccount.Username; |
| 70 | + result = await app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername(username) |
| 71 | + ``` |
| 72 | + |
| 73 | + > [!NOTE] |
| 74 | + > This method tries to access the Windows Account Broker to sign the user into the device. It doesn't work if the application runs on Internet Information Services (IIS) or Windows Server. |
| 75 | + |
| 76 | +## Reference |
| 77 | + |
| 78 | +[Using MSAL.NET with Integrated Windows Authentication (IWA)](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/integrated-windows-authentication) |
| 79 | + |
| 80 | +[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)] |
0 commit comments