I have an ASP.NET MVC app, running as Azure Web App.
I use pre-authentication/EasyAuth, and for 5 deployment slots it works fine. Each of them has their own Azure AD App Registration.
But the production site (not a deployment slot, root of the app) throws an error when after logging in, at the /.auth/login/aad/callback path:
I have compared Azure AD App manifest with one that works, and the only difference is the names, description and URLs - as expected.
Using Kudu to view an error, it seems to come from the EasyAuthModule:
So, basically this was an issue with the App Registration used, were created from another deployment slot.
Even though Authentication / Authroization for the web app was set up as Express, the correct App Registration was selected - it turns out it did not get the Client Secret transferred from App Registration to the Web App (in my case, it had the wrong key):
To fix it, you can switch to advanced as shown above, open the associated App Registration and create a new key:
The key is not shown until you save, and is only shown once. Copy it, and insert it into the Client Secret input of the Web App.
After saving all the blades, it is possible to switch back to Express auth. setup and the key will remain.
As I cannot comment I'll add my case as an answer in a bit more detail than I would have to a comment.
I had the exact same error messages From Easyauth in an ASP.NET MVC app running as Azure App Service Web App.
The initial error message was just "The page cannot be displayed because an internal server error has occurred." And via FTP and/or Visual Studio Server Explorer and/or Cloud Explorer I could check the real error page after setting the detailed error messages on from App Service Logs. Those errors were the same as with MartinHN got using Kudu.
So in the more detailed error the predominantly shown 500.74 error originally pointed me to the wrong direction (MFA). But Request Url (.auth/login/aad/callback ) where the error message indicated the internal server error was occurring in, led me to this SO question.
In my case though I had the Advanced Configuration already selected in App Services Active Directory Authentication. And the client secret key was not just wrong. It turned out that the client secret had expired. But it wasn’t obvious to me as I don’t have access to the AAD. I had to contact a separate AD team to check the secrets.
So expired client secret (keys) can also cause this very same error.
Related
I am working on a web application, containing multiple views, that is using the ASP.NET framework for the backend and the Angular framework for the frontend. When running this web application on my local machine, every view loads without issue, returning the 200 - OK status. However, when I deploy and run my application in the Azure dev environment, one view is intermittently returning a 404 - Not Found status. All of the other views seem to be working fine, with the exception of this one.
Also, when I look at the console, it appears that the URL being requested by the front-end is the front-end URL, which it should not be requesting. It should be requesting the backend URL, which is what every other successful view is requesting.
Is there a general cause to this issue or do I need to provide more information regarding the code I am using? Thanks.
Assuming everything in the network but the app is working fine (example: no packet loss when your application's network traffic traverse public and private network) there are three possible causes
Client side lack of permission to access the object (please verify
messages exchanged between azure and your the browser with chrome
dev tools) and if is trueyou can you can configure Cross Origin
Resource Sharing (CORS) for the storage service the Angular client
is accessing;
Also is possible a SASAuthorizationError issue (Please check the
SASAuthorizationError in the metrics. Fault is non zero. Here is
explained)
last but not least please check in server-side logs if another
process deleted your target before frontend app can access
C# ASP.NET web page that has requirement to MFA to Azure SQL Database.
I have working in development environment.
When I deploy to web server error is received of...
"Showing a modal dial box or form when the application is not running."
I understand why it doesn't work, but how do I get a redirect to work against Azure SQL Database to get a token for the SQL Connection ?
Best answer was:
Acquire AAD token using ASP.Net web forms
What am I missing to make MFA to Azure SQL work in asp.net?
result = await authContext.AcquireTokenAsync(
parameters.Resource, // "https://database.windows.net/"
_clientId,
_redirectUri,
new AD.PlatformParameters(AD.PromptBehavior.Auto),
new AD.UserIdentifier(
parameters.UserId,
AD.UserIdentifierType.RequiredDisplayableId));
Follow up, I have the basics of this worked out.
Enable HTTPS (this was an on-prem, internal use web app, was not https, it is now).
Ensure .net 4.7.2
Ensure URI()'s match azure application registration (was missing this)
The redirect and URI back are causing me to change the design and flow of the web page, but that's a side effect of the MFA requirement.
Will post some follow up code example once i have it working the way it should, but a quick test has it working, much easier in windows application as opposed to a web app.
We have two Azure AD Web Apps Registered under one outlook account for OneDrive Development under the portal apps.dev.microsoft.com . We have created two apps because we need our app to support callback URLs from two servers with different DNS. Unfortunately only the first app that was created works in which we can get the access token using V2.0 end point and then subsequently can access One Drive Resources using graph API.
The second App that we created to supported another server with a different DNS does not work. We are unable to get access token and the response is below,
AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope
One App: reply URLs: https://www.example.org/OneDriveApp/callback.jsp - works great
Second App: reply URL https://www.example2.net/OneDriveApp/callback.jsp - failure to get OAuth Access Token.
This error generally means the auth code you've gotten is not meant for tokens on the specified endpoint. This can happen from misconfiguring the auth endpoints, registering the app in the wrong spot, or a malformed request.
The first thing to check with this error is your auth endpoints.
Next, make sure you're using the correct library to obtain the authorization code.
Also, make sure that you are not registering the app in the wrong blade (regular AD vs b2c).
What do you have as the URL for the token endpoint?
We have a custom user set for the App Pool Identity for our application.
This user runs the application fine but when it comes to AD authentication the following MS Directory Services API group search returns no groups:
PrincipalSearchResult<Principal> Principle.GetGroups();
However the same code (dll) in our test authentication with the exact same parameters in a windows command line application it returns OK the wanted groups for the found user principle in question.
Somehow the ASP.NET app pool identity appears to have missing 'rights' in that Active Directory when called via the API (which does not error as such and indeed finds the user and authenticates it) returns an empty list of groups after using the above API method (possibly across multiple domains).
As a workaround we use a TCP/IP port to a command line based server application to reroute the authentication but would dearly like to remove this extra complication as we are sure it is unnecessary, and multiple customers have the issue.
What is the missing part to the user rights that would enable the asp.net application to act the same as the windows login in this respect?
I have a fresh asp.net application which has facebook authentication button on it. When I do the authentication on localhost it works flawlessly but when I publish and try to do it on work4me.azurewebsites.net it comes up with the error:
An error occurred while processing your request.
I have set the appID, app secret, domain, correct URL, and http://work4me.azurewebsites.net/signin-facebookas the oauth redirect URI. But it seems like it is hanging for a bit saying "waiting for domain name" before giving me the error.
If I try to enable facebook authentication on the azure portal it works however after logging in the application crashes and gives me the error "Server Error in '/' Application.".
I have followed the guide to enable facebook authentication on azures website but with no luck.
What am I doing wrong here?
EDIT:
It seems to get past that point now, and the error is with the redirect URI. However I have followed this example and use the URL https://work4me.azurewebsites.net/.auth/login/facebook/callback as the guide says but still it wont work, giving me the error that the URI is blocked.
It's been a few months since I first tried this, but I was able to get it working both locally and on Azure, by following the online instructions.
Did you enable User Secrets during development to access your credentials from Application Secrets? If so, you need to create environment variables in your Azure Web App to mirror these values under Application Settings.
Let me know if you still have any issues, then I can look into it some more.
All the best! :)