question

SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 asked ·

Wanted: Guidance debugging AAD Tutorial Demonstrating Web App Calling Azure Function


I'm trying to follow the tutorial ([9781484250396][1]) in Chap03 (%SRCROOT%\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI) that demonstrates using AAD to authenticate a web site that uses an Azure function. This tutorial has me hosting a web site on my local dev machine that should be calling an azure function after having authenticated using AAD.

I have used Visual Studio 2019 to check out the code here: [developing-apps-w-azure-active-directory][2].

I've registered a new application with AAD.

I've configured a Azure function to be authenticated with Azure Active directory. This was working Friday afternoon:
[HttpTrigger1][3]

I'm thinking that URL is no longer working because I have since added AAD authentication. OK, maybe this is progress.


After carefully pasting the clientID, tenantID, the secret, my domain (sheintzehotmail.onmicrosoft.com), the resource ID (according to my bing searching, this is just clientID again) and the API Base address into file %SRCROOT%\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\appsettings.json.

See below for the stack trace. When I try to login using the sample application, I get "AADSTS700054: response_type 'id_token' is not enabled for the application."

Maybe the problem has nothing to do with the azure function or my sample application. I have done "az login", "az logout" and "az login" and twice I see this warning. Perhaps my azure account is messed up? Can someone guide me?

az : WARNING: You have logged in. Now let us find all the subscriptions to which you have access...
At line:1 char:1
+ az login
+ ~~~~~~~~
+ CategoryInfo : NotSpecified: (WARNING: You ha... have access...:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError


WARNING: Failed to authenticate '{'additional_properties': {}, 'id': '/tenants/1e694636-92fd-4ca7-b666-d0545514eb69', 'tenant_id': '1e694636-92fd-4ca7-b666-d0545514eb69'}' due to error 'Get
Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or
because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.\r\nTrace ID:
e2c7aca3-e581-40b9-ba16-e3b73c120d00\r\nCorrelation ID: 6bf933cf-b2f5-47da-9125-f6d40442f1d9\r\nTimestamp: 2020-04-28 00:05:45Z","error_codes":[50076],"timestamp":"2020-04-28 00:05:45Z","tra
ce_id":"e2c7aca3-e581-40b9-ba16-e3b73c120d00","correlation_id":"6bf933cf-b2f5-47da-9125-f6d40442f1d9","error_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_actio
n"}'
[
{
"cloudName": "AzureCloud",
"id": "acc26051-92a5-4ed1-a226-64a187bc27db",
"isDefault": true,
"name": "Azure subscription 1",
"state": "Enabled",
"tenantId": "7a838aec-0b9e-4856-a3b5-2b02613f36a2",
"user": {
"name": "sheintze@hotmail.com",
"type": "user"
}
}
]


Thank you


Siegfried


Here is the stack trace I get when I try to run the sample code I have cloned from github.



info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[0]

User profile is available. Using 'C:\Users\shein\AppData\Local\ ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.
Hosting environment: Development
Content root path: c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI
Now listening on: https://localhost:5001
Now listening on: http://localhost:5000
Application started. Press Ctrl+C to shut down.
dbug: HttpsConnectionAdapter[1]
Failed to authenticate HTTPS connection.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b_ 51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
dbug: HttpsConnectionAdapter[1]
Failed to authenticate HTTPS connection.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b
_51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
Route matched with {action = "Index", controller = "Home"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult Index() on controller WebApp_FunctionAPI.Controllers.HomeController (WebApp-FunctionAPI).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Executing action method WebApp_FunctionAPI.Controllers.HomeController.Index (WebApp-FunctionAPI) - Validation state: Valid
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action method WebApp_FunctionAPI.Controllers.HomeController.Index (WebApp-FunctionAPI), returned result Microsoft.AspNetCore.Mvc.ViewResult in 4.2962ms.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.ViewResultExecutor[1]
Executing ViewResult, running view Index.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.ViewResultExecutor[4]
Executed ViewResult - view Index executed in 2145.2209ms.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action WebApp_FunctionAPI.Controllers.HomeController.Index (WebApp-FunctionAPI) in 2658.9118ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 10315.1914ms 200 text/html; charset=utf-8
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/images/banner1.svg
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/lib/bootstrap/dist/js/bootstrap.js
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/images/banner2.svg
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/lib/bootstrap/dist/css/bootstrap.css
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/css/site.css
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/images/banner3.svg
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/images/banner1.svg'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\images\banner1.svg'
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/images/banner2.svg'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\images\banner2.svg'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 369.4089ms 200 image/svg+xml
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 278.2615ms 200 image/svg+xml
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/css/site.css'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\css\site.css'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/lib/jquery/dist/jquery.js
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/js/site.js?v=4q1jwFhaPaZgr8WAUSrux6hAuh0XDg9kPS3xIVq36I0
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/images/banner3.svg'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\images\banner3.svg'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 303.7515ms 200 text/css
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/lib/bootstrap/dist/js/bootstrap.js'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\lib\bootstrap\dist\js\bootstrap.js'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 347.3063ms 200 image/svg+xml
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/lib/bootstrap/dist/css/bootstrap.css'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\lib\bootstrap\dist\css\bootstrap.css'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 547.9487ms 200 application/javascript
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 554.5855ms 200 text/css
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/lib/bootstrap/dist/fonts/glyphicons-halflings-regular.woff2
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/js/site.js'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\js\site.js'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 499.6928ms 200 application/javascript
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/lib/bootstrap/dist/fonts/glyphicons-halflings-regular.woff2'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\lib\bootstrap\dist\fonts\glyphicons-halflings-regular.woff2'
info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/lib/jquery/dist/jquery.js'. Physical path: 'c:\Users\shein\Source\Repos\DevAppWithAzureActiveDirectoryBook\WebApp-FunctionAPI\WebApp-FunctionAPI\wwwroot\lib\jquery\dist\jquery.js'
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 682.0883ms 200 font/woff2
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 1109.3877ms 200 application/javascript
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/Account/SignIn
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
Route matched with {action = "SignIn", controller = "Account"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult SignIn() on controller WebApp_FunctionAPI.Controllers.AccountController (WebApp-FunctionAPI).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Executing action method WebApp_FunctionAPI.Controllers.AccountController.SignIn (WebApp-FunctionAPI) - Validation state: Valid
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action method WebApp_FunctionAPI.Controllers.AccountController.SignIn (WebApp-FunctionAPI), returned result Microsoft.AspNetCore.Mvc.ChallengeResult in 1.9844ms.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes (OpenIdConnect).
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12]
AuthenticationScheme: OpenIdConnect was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action WebApp_FunctionAPI.Controllers.AccountController.SignIn (WebApp-FunctionAPI) in 5208.946ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 5940.1812ms 302


[1]: https://www.apress.com/gp/book/9781484250396
[2]: https://github.com/Apress/developing-apps-w-azure-active-directory
[3]: https://azurefunctionauthdemo.azurewebsites.net/api/HttpTrigger1?code=IywFvDHbSb2CeF3u20ielsxRSeGrJV1x5IYI58DzHPcWmCZVNIxLSg==&name=siegfried
azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@SiegfriedHeintze-9929 Thank you for sharing the fiddler capture.

Analysis:

Looking at the capture, I found below parameters in the request:

  • client_id : b078e920-xxxx-xxxx-xxxx-e95c9a6f209d

  • resource : 46020346-xxxx-xxxx-xxxx-7b5d3548d1a4

  • response_type : id_token code

This means, you are using above client_id to request an id_token and code for the above mentioned resource. In response to this request you are getting below error:

AADSTS700054: response_type 'id_token' is not enabled for the application.

Cause:

The value of OAuth2AllowIdTokenImplicitFlow:false for the application with above client id (b078e920-xxxx-xxxx-xxxx-e95c9a6f209d) is false. This means the id token checkbox is not selected. The value of OAuth2AllowIdTokenImplicitFlow:false for the resource (46020346-xxxx-xxxx-xxxx-7b5d3548d1a4) is set to true, which means id token checkbox is selected for this app. I am suspecting that you have enabled id_token for resource instead of the client app.

Action Plan:

Select the ID token checkbox on the App with Client ID (aka App ID) b078e920-xxxx-xxxx-xxxx-e95c9a6f209d. Please refer to the steps I shared in my initial answer. Once this is done, you should not get AADSTS700054: response_type 'id_token' is not enabled for the application. error.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm guessing this has resolved the issue because I'm getting new and different symptoms now as a result of Aman's guidence. However, I have not seen my tutorial application actually work yet so we cannot be certain this is the resolution (yet!).

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Looking at the problem statement, I can see that you are getting 2 errors:

  1. AADSTS700054: response_type 'id_token' is not enabled for the application. - To resolve this error you need to navigate to Azure Portal > Azure AD > App Registrations > select All Applications tab > Search with the Client ID you used > Open the application and go to Authentication blade > Under Implicit Grant section, select checkbox for ID Token.

  2. AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'. - To resolve this, navigating to Azure Portal > Azure AD > Properties > Click on Manage Security Defaults link > Toggle Enable Security Defaults button to NO.

I have shared more details about the 2nd error in your previous post here


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 answered ·

(1) Thanks for the prompt response! I believe I successfully followed your recommendation and clicked the token check box on both this project and the other one. This effort does not appear to be successfull for either of the two projects because I'm still getting the same error (for both projects):
AADSTS700054: response_type 'id_token' is not enabled for the application. I'm hoping you can provide some more guidance. I will confirm that I'm still getting this same error in the other application soon.


(2) This appears to have worked. I successfully authenticated with my phone and I got the login prompt that failed with the above error message.


After reading this link (concept-fundamentals-security-defaults) I'm still having trouble understanding what I did that caused azure to require two factor authentication (which is a nuisance for developers). I am the only one on this subscription. I did not turn it on. I don't understand what "move" means. Can you help me make adjustments so I no longer need to use my phone just to debug this app?

Thank you!
Siegfried


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

To provide additional guidance, I need to understand the authentication flow. Could you please capture and share fiddler trace for this purpose.

Please follow below instructions to capture a fiddler trace:

Setup:

To get traces:

  • Start fiddler (it will start capturing)

  • Repro the issue.

  • Stop fiddler capturing by hitting the F12 key.

  • Save all sessions in .saz file and send via email to azcommunity[at]microsoft[dot]com. I will analyze the capture and let you know.

Note: Fiddler may have credentials in plain text, So, I would suggest you to use a temporary test account to reproduce the issue while capturing the fiddler.

I have shared more details on the second issue in the other post. Feel free to tag me if you have any further questions.

0 Votes 0 ·

I followed the above instructions and emailed them yesterday morning (PDT). Please confirm receipt of that email. Thanks! Siegfried


0 Votes 0 ·
SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 answered ·

Thanks, I followed your suggestions I believe they resolved some problems and now I have new problems. I have checked the "ID Tokents" and I'm getting some different errors:

(1) AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'b078e920-278a-4b24-8b96-e95c9a6f209d'.

Can you help me understand what I need to specify for the redirect URL?

When I run it via dotnet I see:
Now listening on: https://localhost:5001
Now listening on: http://localhost:5000

So should not the redirect URL specified in the AAD App registration be https://localhost:5001? This does not work.

When I run using IISExpress, I see this in the browser URL windows: https://localhost:44367 (as per the launchSettings.json file). I change the redirect URL on the AAD App registration to https://localhost:44367 and it does not work again and I get the same error.


(2) When "dotnet run", I see a stacktrace! Maybe this is the problem! Bing searching suggests ([how-to-fix-the-error-authentication-failed-because-the-remote-party-has-closed-the-transport-stream][1]). I added this to main and it did not help:
ServicePointManager.SecurityProtocol = /SecurityProtocolType.Ssl3 | / SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Here is the stack trace:

dbug: HttpsConnectionAdapter[1]
Failed to authenticate HTTPS connection.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/

(3) If I ignore this tack trace I get the same error: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'b078e920-278a-4b24-8b96-e95c9a6f209d'.

Why don't I see this stack trace when I run with IISExpress?

Thank you
Siegfried

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 answered ·

Thanks, I followed your suggestions I believe they resolved some problems and now I have new problems. I have checked the "ID Tokents" and I'm getting some different errors:

(1) AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'b078e920-278a-4b24-8b96-e95c9a6f209d'.

Can you help me understand what I need to specify for the redirect URL?

When I run it via dotnet I see:
Now listening on: https://localhost:5001
Now listening on: http://localhost:5000

So should not the redirect URL specified in the AAD App registration be https://localhost:5001? This does not work.

When I run using IISExpress, I see this in the browser URL windows: https://localhost:44367 (as per the launchSettings.json file). I change the redirect URL on the AAD App registration to https://localhost:44367 and it does not work again and I get the same error.


(2) When "dotnet run", I see a stacktrace! Maybe this is the problem! Bing searching suggests ([how-to-fix-the-error-authentication-failed-because-the-remote-party-has-closed-the-transport-stream][1]). I added this to main and it did not help:
ServicePointManager.SecurityProtocol = /SecurityProtocolType.Ssl3 | / SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Here is the stack trace:

dbug: HttpsConnectionAdapter[1]
Failed to authenticate HTTPS connection.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/

(3) If I ignore this tack trace I get the same error: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'b078e920-278a-4b24-8b96-e95c9a6f209d'.

Why don't I see this stack trace when I run with IISExpress?

Thank you
Siegfried

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SiegfriedHeintze-9929 I am glad your previous error is resolved. I would request you to Accept the answer and post a separate question for error AADSTS50011: The reply URL specified in the request does not match the reply URLs. That way we will have answer to a specific question in each thread which will help others in the community as well.

0 Votes 0 ·