question

FC-0664 avatar image
5 Votes"
FC-0664 asked AzadDesai-2009 answered

Can't verify publisher domain for web app

Asking on behalf of the user dataportabiltiy who originally posted on: https://social.msdn.microsoft.com/Forums/en-US/ef2e2ed8-1377-448e-97f8-c5156526ec38/cant-verify-publisher-domain-for-web-app?forum=AzureStack

On our web app, under Publisher Domain for the Branding it says unverified. The instructions to configure the domain say

To verify a publisher domain for {0}
Create a file named microsoft-identity-association.json and paste in the following content. Or, use the link provided to download the content.

{
"associatedApplications": [
{
"applicationId": ""
}
]
}

Download

Host the file at:
https://EXAMPLE.COM/.well-known/microsoft-identity-association.json
Click 'Verify and save domain' below.


When we visit the url, our application id is there, but when we click "Verify and save domain" we get this error:

"Verification of publisher domain failed. Error getting JSON file from https:///.well-known/microsoft-identity-association. The server returned an unexpected content type header value. [gS599]"

The host link returns the right results but it looks like its returning HTML instead of the raw json? Inspecting via a browser shows that the content type response header is: content-type: application/json; charset=utf-8 According to a support page that i'm unable to link, it looks like it needs to be just application/json. Unfortunately, we use an open source library and the only MediaType available is the one we set. It would be non trivial to update this.

Is there anyway to get a manual verification?

azure-stack-hub
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This issue seems to be going on for months now, i have the exact same problem, i keep trying every so often but i get the same results.

i can access the file using the address but it seems verification just wont happen.

Verification of publisher domain failed. Unable to connect to https://www.___/.well-known/microsoft-identity-association. [MNkyl]

0 Votes 0 ·
ryanchill avatar image
0 Votes"
ryanchill answered

@FOC-0664, it may seem non-trivial but try removing charset=utf-8 from the response header. This appears to have corrected a similar issue folks were having over at https://github.com/MicrosoftDocs/azure-docs/issues/35934.

If that doesn't help, let me know.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RaydiantOperations-8984 avatar image
6 Votes"
RaydiantOperations-8984 answered KaushikThommandra-2981 commented

It turns out that it is impossible to remove the charset=utf-8 from the content-type header sent by Wordpress or Github, or any other HTTP spec compliant webserver, for that matter. Since Microsoft is not HTTP compliant, their own webserver can do this (by breaking the HTTP 1.1 spec).

In effect: ALL servers return "application/json; charset=utf-8", and not "application/json", because UTF-8 has been the standard for over sixteen years. And: on Wordpress and Github you cannot override this header.

So: it is technically impossible to verify apps if your company happens to run a normal website. 80% of the Internet, which runs on Wordpress and Github, cannot verify an Azure application.

Please, please, please modify the App Registration | Branding | Publisher Domain verification to either (a) accept the specification standard header for JSON, which is and always will be "application/json; charset=utf-8", or (b) allow us to use a DNS CNAME or TXT record validation, like all other verification systems on the Internet (such as Google, AWS, or Oracle).

Thank you,

David Phipps
VP of Engineering
Raydiant, Inc.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are also experiencing this issue. We can't verify because there's no way of altering the content-type

MS needs to either make the verification process more lenient for something so trivial as serving a JSON file or accept CNAME / TXT record validation

1 Vote 1 ·

Hi @RaydiantOperations-8984, @KaushikThommandra-2981,

I'll investigate further and get back with you both.

1 Vote 1 ·

Just as a follow-up to this - we managed to hack our IIS server to serve the required content-type, only to receive the following error:

Verification of publisher domain failed. The JSON file located at ispionage.com/.well-known/microsoft-identity-association.json has a content length that is not set or otherwise invalid. [iZvCd]


Is there any reason why the verification has to be so strict? The file is literally the same one that is downloaded from the Azure branding verification page so why all the extra steps?

Surely it should be:
1. Does it exist?
2. Does it parse as valid JSON?
3. Does it contain the application ID?




2 Votes 2 ·
DylanStrang avatar image
1 Vote"
DylanStrang answered

I found the solution for this.

You have to add a custom domain and verify it with TXT or MX

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GuillaumeDarbonne-8515 avatar image
6 Votes"
GuillaumeDarbonne-8515 answered

Please, please, please modify the App Registration | Branding | Publisher Domain verification to either (a) accept the specification standard header for JSON, which is and always will be "application/json; charset=utf-8", or (b) allow us to use a DNS CNAME or TXT record validation, like all other verification systems on the Internet (such as Google, AWS, or Oracle).


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CronozFounders-6301 avatar image
1 Vote"
CronozFounders-6301 answered

I have been waiting for a while now to be able to verify my domain. It is literally impossible to remove charset=utf-8. Do they just not care about the fact that people cannot verify their domains? It can't be that hard of a fix. The portal is probably expecting an exact string, instead of just checking to see if it contains application/json. This is really frustrating. Not sure how the PR made it through code review. Its impacting users who have literally been complaining since January. It's almost been a year.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Greenflash-0887 avatar image
0 Votes"
Greenflash-0887 answered

Is there any other way to verify our publisher domain?

Webflow says "The /.well-known folder slug, is reserved for hidden files that are stored in this folder to be used for site metadata. It is not possible to name a folder or page this URL in Webflow."

IONOS said talk to Webflow.

Webflow said talk to Microsoft.

Stuck in this crazy loop where neither Microsoft, IONOS, Nylas or Webflow can help. Our whole app is getting held up. Insane.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ibokat avatar image
0 Votes"
ibokat answered

In my case i discovered the problem was related to a redirect of the base url. eg: mydomain.com --> www.mydomain.com

removing the redirect solved the issue.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KaranPargaien-5894 avatar image
0 Votes"
KaranPargaien-5894 answered

This document will help you guys for solving the problem.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AzadDesai-2009 avatar image
0 Votes"
AzadDesai-2009 answered

Hi All,

For fixing this issue, kindly go through the below steps.

  1. Verify your custom domain in AAD Directory (Make it primary optional)

  2. Follow the branding steps in app your AAD app.

  3. Update the file and verify the domain.

Hope this will works.

Thanks
Azad Desai



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.