ADAL AcquireToken with ClientCredential fails with invalid_client (ACS50012)

My Azure AD "web application" won't allow me to get an auth token using ADAL's AuthenticationContext.AcquireToken method with ClientCredential.

I am trying to use Microsoft.IdentityModel.Clients.ActiveDirectory version 1.0.3 (from NuGet).

(I can't use the overload that prompts the user to login because I'm writing a service, not an app.)

I configured my Azure AD web application as described in various tutorials/samples (e.g. [ADAL - Server to Server Authentication](http://code.msdn.microsoft.com/windowsazure/AAL-Server-to-Server-9aafccc1)).

My code looks like:

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/thommmondago.onmicrosoft.com");
ClientCredential cc = new ClientCredential("41151135-61b8-40f4-aff7-8627e9eaf853", clientSecretKey);
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);

The `AcquireToken` line throws an exception:

    sts_token_request_failed: Token request to security token service failed.  Check InnerException for more details

The inner exception is a WebException, and the response received looks like an oauth error:

    { "error":"invalid_client",
     "error_description":"ACS50012: Authentication failed."
     "error_codes":[50012],
     "timestamp":"2014-03-17 12:26:19Z",
     "trace_id":"a4ee6702-e07b-40f7-8248-589e49e96a8d",
     "correlation_id":"b304af2e-2748-4067-99d0-2d7e55b121cd" }

Bypassing ADAL and using curl with the oauth endpoint also gives the same error.

My code works if I use the details of the Azure application that I found [here](https://github.com/MSOpenTech/AzureAD-Node-Sample/wiki/Windows-Azure-Active-Directory-Graph-API-Access-Using-OAuth-2.0):

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/graphDir1.onmicrosoft.com");
ClientCredential cc = new ClientCredential("b3b1fc59-84b8-4400-a715-ea8a7e40f4fe", "FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=");
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);

So it's not an error with my code. I think it's either an error with my Azure AD, or I've got the ClientCredential parameters wrong.

Someone on stackoverflow has the same issue and no answer: http://stackoverflow.com/questions/21797154/azure-active-directory-webapi-server-to-server?rq=1

Can anyone replicate creating a new Azure account, adding a web application to the Default Directory Azure AD, and authenticating with it using ADAL and ClientCredential?