question

Sweha-0075 avatar image
0 Votes"
Sweha-0075 asked ·

Azure AAD login is giving 302 Invalid Token Retry

We have two application proxy A (external url: https://a.appproxy.com) and B( https://b.appproxy.com), both under the Azure AD SSO Preauth. User can login to both of them individually in two different browser sessions where they get prompted for azure ad credentials followed by a verification code. A has some logic that makes rest service requests to B. A and B internally point to two applications that are in two different servers. A user, when logs in to https://a.appproxy.com from an external network, is getting 302 url redirect for https://b.appproxy.com/services. This is what is captured through fiddler. In the browser console, it is pointing to cors error. If the user opens another browser session and authenticates it to https://b.appproxy.com and goes back to the browser session for https://a.appproxy.com, then the page for application A loads fine with all the data. If the user logs in from the organization network with external url, there is no issue. How can this issue is resolved so that when the user logs in to application A, it delegates the authentication to application B and is able to authenticate using the same credential token. The IIS of both applications are configured to use the windows authentication and their app pool runs as a domain or service account.

Thanks!

azure-ad-application-proxy
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars-msft avatar image
0 Votes"
sikumars-msft answered ·

Hello @Sweha-0075,

Thanks for reaching out.

I could think of two different potential issues in this scenario, one is "Invalid Token" and then second one is "CORS issue".

Invalid Token error, might have caused due to incorrect Kerberos constrained delegation for Application Proxy, read this article for Troubleshooting Kerberos constrained delegation

and for CORS issue, the following article is worth checking out as it speaks about common issues and resolution: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-understand-cors-issues

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, definitely will look into those.

I wanted to get a feedback on two more things below:
Does that service account that is configured to run the app pool for A and B in the IIS on the two different servers need to be the same?
We have account A configured to run the app pool of A in server A and and account B configured to run the app pool of B in IIS of server B.

On the azure side, account A is tied with SPN related to A domains and account B is tied to SPN related to B domains only.
The app proxy connector is set to delegate to SPNs of both.

Does that look okay or do we need one account on IIS side to run the app pool for both applications and tie the SPNs to just that one account on azure side?

Thanks!

0 Votes 0 ·

That should not be an issue as long as both backend IIS servers are connected with same on-premises AD domain in forest but make sure delegation are configured to avoid any SSO issue, see this KCD white paper for more detail.

Kindly let us know if you have any additional queries. Thanks

0 Votes 0 ·