Merge remote-tracking branch 'upstream/main' into Branch-CI4498

AmandaAZ · AmandaAZ · commit 5f686570fbcc · 2025-04-02T01:48:44.000Z
diff --git a/support/entra/entra-id/app-integration/repeat-login-prompts-in-msal-ios-app.md b/support/entra/entra-id/app-integration/repeat-login-prompts-in-msal-ios-app.md
@@ -0,0 +1,51 @@
+---
+title: Why does an MSAL-based iOS app keep asking for credentials with Microsoft Entra?
+description: Provides guidance for troubleshooting repeated sign-in prompts in an iOS MSAL implementation
+ms.date: 03/19/2025
+ms.author: daga
+ms.service: entra-id
+ms.custom: sap:Microsoft Entra App Integration and Development
+---
+
+# Troubleshoot sign-in prompt issues in iOS with MSAL SDK
+
+This article provides guidance for troubleshooting repeated sign-in prompts in an iOS app that uses Microsoft Authentication Library (MSAL).
+
+## Symptoms
+
+You [follow this tutorial](/azure/active-directory/develop/tutorial-v2-ios) to integrate Microsoft identity platform authentication in your iOS app by using the Microsoft Authentication Library (MSAL) SDK. However, after the initial login, users are unexpectedly prompted to sign in multiple times.
+
+## Cause
+
+This issue is typically caused by the web browser used by MSAL does not allow cookie sharing.
+
+The tutorial uses the MSAL to implement authentication. MSAL SDK facilitates authentication by automatically renewing tokens. It also enables single sign-on (SSO) between other apps on the device and manages user accounts.
+
+For SSO to function correctly, tokens must be shared between apps. To meet this requirement, you must use a token cache or a broker application, such as Microsoft Authenticator for iOS. Interactive authentication in MSAL requires a web browser. On iOS, MSAL uses the Safari system browser by default for interactive authentication. This default setup supports SSO state sharing between apps.
+
+However, if you customize the browser configuration for authentication, such as by using one of the following options, cookie sharing might not be enabled by default.
+
+| **For iOS only** | **For iOS and macOS** |
+| --- | --- |
+| [SFAuthenticationSession](https://developer.apple.com/documentation/safariservices/sfauthenticationsession?language=objc) <br> [SFSafariViewController](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller?language=objc) | [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession?language=objc) <br> [WKWebView](https://developer.apple.com/documentation/webkit/wkwebview?language=objc) |
+
+
+## Resolution
+
+To prevent repeated login prompts, you must allow cookie sharing when you customize the browser. To enable SSO and cookie sharing between MSAL and your iOS app, use one of the following solutions:
+
+Use `ASWebAuthenticationSession` and Safari system browser (`UIApplication.shared.open`)
+
+   - Use Case: Your app uses MSAL together with the default `ASWebAuthenticationSession` instance, and you open external links or logout flows in Safari system browser.
+   - **Note:** `ASWebAuthenticationSession` is the recommended method for MSAL interactive authentication on iOS 12+. It's the only supported method on iOS 13+. This method is privacy-preserving and shares cookies with system browser. SSO works between MSAL and Safari browser application because they share cookies through the system authentication session.
+
+Use `WKWebView`
+
+   - Use Case: You explicitly configure MSAL to use `WKWebView`, and your app also uses `WKWebView` for related workflows.
+   - **Note:** You can use `WKWebView` for a consistent experience within your app. However, because it's sandboxed, `WKWebView` doesn't share session cookies with Safari system browser or other apps. In this condition, SSO support is limited to use within your app.
+
+   For more information, see [Customizing webviews and browsers](/azure/active-directory/develop/customize-webviews).
+
+[!INCLUDE [Third-party disclaimer](../../../includes/third-party-disclaimer.md)]
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
diff --git a/support/entra/entra-id/toc.yml b/support/entra/entra-id/toc.yml
@@ -61,8 +61,8 @@
         href: app-integration/package-inspector-msal-android-native.md
       - name: Enable MSAL4J logging in a Spring Boot web application
         href: app-integration/enable-msal4j-logging-spring-boot-webapp.md
-      - name: Role-based access control issues in WebAssembly app
-        href: app-integration/troubleshoot-rabc-issues-webassembly-auth-apps.md
+      - name: Repeated login prompts in iOS MSAL implementation
+        href: app-integration/repeat-login-prompts-in-msal-ios-app.md
 
 
   - name: Troubleshoot adding apps
diff --git a/support/windows-server/remote/set-up-remote-desktop-licensing-across-domains-forests-workgroups.md b/support/windows-server/remote/set-up-remote-desktop-licensing-across-domains-forests-workgroups.md
@@ -1,20 +1,19 @@
 ---
 title: Set up RD licensing across domains forests or workgroups
 description: This article talks about the questions around the supportability (or recommended approach) of setting up Remote Desktop (RD) licensing across domain, forest, or work groups.
-ms.date: 01/15/2025
+ms.date: 04/01/2025
 manager: dcscontentpm
 audience: itpro
 ms.topic: troubleshooting
-ms.reviewer: kaushika, akhleshs, sabinn
+ms.reviewer: kaushika, akhleshs, sabinn, warrenw, timnewton
 ms.custom:
 - sap:remote desktop services and terminal services\licensing for remote desktop services (terminal services)
 - pcy:WinComm User Experience
 ---
-# Best practices for setting up RDS licensing across Active Directory domains/forests or work groups
+# Best practices for setting up RD licensing across Active Directory domains/forests or work groups
 
 This article provides information on the questions around the supportability (or recommended approach) of setting up Remote Desktop (RD) licensing across domain, forest, or work groups.
 
-_Applies to:_ &nbsp; Windows Server 2008 R2 Service Pack 1  
 _Original KB number:_ &nbsp; 2473823
 
 > [!NOTE]
@@ -39,30 +38,30 @@ For both Per Device and Per User CALs issuance to work, the RD Session Host and
 
 Here is more information on these scenarios:
 
-- RDS Host and RDS licensing servers are in the same work group
+- RD Session Host and RD licensing servers are in the same work group
 
-  Consider the following points while configuring RDS and RDS licensing servers in a work group environment:
+  Consider the following points while configuring RDS and RD licensing servers in a work group environment:
 
-  - We can use ONLY Per Device CALs in a work group environment. So, you should install only Per Device CALs on RDS licensing server.
+  - We can use ONLY Per Device CALs in a work group environment. So, you should install only Per Device CALs on RD licensing server.
   - Per User CAL tracking and reporting is not supported in work group mode.
-  - RDS Host and RDS licensing server roles can both be installed on the same server.
-  - If you install RDS licensing server on a different server in the work group, ensure that the RDS server is able to access RDS licensing server.
+  - RD Session Host and RD licensing server roles can both be installed on the same server.
+  - If you install RD licensing server on a different server in the work group, ensure that the RDS server is able to access RD licensing server.
 
   In Windows 2008 R2, automatic license server discovery is no longer supported for RD Session Host servers. You must specify the name of a license server for the RD Session Host server to use by using Remote Desktop Session Host Configuration snap-in. For more information, see [Specify a License Server for an RD Session Host Server to Use](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770585(v=ws.11)).
 
-- RDS Host and RDS licensing servers are in the same domain
+- RD Session Host and RD licensing servers are in the same domain
 
-  In an Active Directory Domain scenario, we can have RDS Host and RDS licensing servers either on the same server or different servers. Consider the following points while configuring RDS environment in a domain scenario:
-
-  - You can install both (Per Device and Per User) CALs on RDS licensing server.
+  In an Active Directory Domain scenario, we can have RD Session Host and RD licensing servers either on the same server or different servers. Consider the following points while configuring RDS environment in a domain scenario:
+  
+  - You can install both (Per Device and Per User) CALs on RD licensing server.
 
   - The computer account for the license server must be a member of the Terminal Server License Servers group in AD DS. If the license server is installed on a domain controller, the Network Service account must also be a member of the Terminal Server License Servers group.
 
-  - To restrict the issuance of RDS CALs, you can add RDS Host Servers into Terminal Server Computers group on RDS licensing server and then enable the License server security group policy setting on RDS licensing server.
+  - To restrict the issuance of RDS CALs, you can add RD Session Host servers into Terminal Server Computers group on RD licensing server and then enable the License server security group policy setting on the RD licensing server.
 
   - The License server security group policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote \RD licensing and can be configured by using either the Local Group Policy Editor or the Group Console (GPMC).
 
-- RDS Host Servers are in one domain/forest and RDS licensing server is in another domain/forest
+- RD Session Host servers are in one domain/forest and RD licensing server is in another domain/forest
 
   In this kind of scenario, you should consider the following points:
 
@@ -72,11 +71,11 @@ Here is more information on these scenarios:
 
   - To issue RDS Per User CALs to users in other domains, there must be a two-way trust between the domains, and the license server must be a member of the Terminal Server License Servers group in those domains.
 
-  - To restrict the issuance of RDS CALs, you can add RDS Host Servers into Terminal Server Computers group on RDS licensing servers.
+  - To restrict the issuance of RDS CALs, you can add RD Session Host servers into Terminal Server Computers group on RD licensing servers.
 
-  - Configure RDS licensing server on all RDS Host Servers in each domain/forest. You can do it through RDS host configuration snap-in or through a group policy.
+  - Configure RD licensing server on all RD Session Host servers in each domain/forest. You can do it through RD Session Host configuration snap-in or through a group policy.
 
-  - Add administrators group of each domain/forest in the local administrators of RDS licensing server. This way, you'll not get a prompt to enter your credentials when you'll open RDS host configuration snap-ins in trusted domains/forests.
+  - Add administrators group of each domain/forest in the local administrators of RD licensing server. This way, you'll not get a prompt to enter your credentials when you'll open RD Session Host configuration snap-ins in trusted domains/forests.
 
 ## Data collection
 
