Where to find the Azure AD Auth Failure logs? - azure

I have problem authenticating with Azure AD occasionally. I get the error that shown at the bottom of the page.
I set the following
IdentityModelEventSource.ShowPII = true;
to see the logs to find out what configuration that I'm missing. Where can I see the logs?
I'm running the WebAPI locally on my machine and the URL is https://localhost:16135/weatherforecast. I get the token via POSTMAN which is succeeding but using that token to execute the WebAPI is failing with the error.
This is the error that I see:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
---> System.Net.Http.HttpRequestException: No such host is known.
---> System.Net.Sockets.SocketException (11001): No such host is known.

The error says "No such host in known"
If you are making a call to the WebAPI from outside your local machine. Then it will not find localhost.
Try using the name of your machine in the uri.

Related

Authorization failed when trying to log into AWS using SSO using internal Azure Platform

I am trying to use an AWS single sign on script from my company to log into aws using the internal Azure Platform. When trying to log into the platform using SSO, I receive the following error messages:
Logging in to Azure AD...
Please enter your username(email address): test#company.com
Please enter your password: ********
Login failed: Authorization failed, please activate company's VPN.
The logs of the sso script show me this information:
2022-07-11 11:57:42,042 auth_with_adfs 207 | DEBUG | loginMessage: Authorization failed
2022-07-11 11:57:42,042 log_in_to_aad 174 | ERROR Login failed: Authorization failed, please activate your company's VPN.
I have activated the VPN so that is not the issue.
By looking at the internals of the files that raise those errors I found out that during the failed login process the login page for the Microsoft Office 365 Identity Platform is returned.
The login webpage tells me that I receive the following error when logging in with my credentials:
Error details: MSIS7012: An error occurred while processing the request. Contact your administrator
My POST request seems to be redirected with a 302 code and GET the login page with a 200 OK response.
So I can tell that I get stuck during the login process and according to the error message it is an authorization issue. My credentials are correct so I am wondering what needs to be changed here to get correct access? Is there some permissions missing I should have a closer look at? Do I need to make changes in AzureAD somehow?
Thanks in advance for looking into this, I know the information is sparse but I hope it is enough.

New Azure AD Connect Cloud agent status inactive

Installed 2 different member servers with Azure AD Connect cloud agents both have an inactive status.
I confirmed;
Both installs complete successfully
Proxy settings are off
Since the Azure port test URL is no longer working I manually tested several of the URLs listed on https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud, they were working
Here is a snippet from the local/server logs;
AADConnectProvisioningAgent.exe Error: 0 : Service bootstrap request failed with exception: 'System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at https://[UUID].syncfabric.bootstrap.his.msappproxy.net/ConnectorBootstrap that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStreamAsyncResult.CompleteGetRequestStream(IAsyncResult result)
When it says "the remote server returned an error: 407 proxy authentication", is that MS end or our end?
After trying numerous updates to the machine.config file, as with most MS products there are 100 different options to "try" to get the proxy settings right. None worked even after restarting the service.
We eventually gave up on that and manually set the proxy itself to allow the Azrue AD agent computer/IP to skip/bypass authentication and it connected successfully.

TAI for MS Azure with Websphere Application Server v9 CWWSS8017E: Authentication Error

I'm trying to configure SAML between MS Azure AD and a WebSphere v9 CF11 server that's sitting in AWS. But it is not recognizing the TAI set up
I've followed all the steps here: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_enable_saml_sp_sso.html and here https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_configuresamlssopartners.html
I've installed the SAMLSA app in WebSphere, imported the metadata file provided by my Azure admin, and imported the certificate as well. I've set up the ACSTrustAssociationInterceptor interceptor and put in (what I thought was) the right sso_1.sp.acsUrl and other settings for the server.
The SystemOut logs show that the ACSTrustAssociationInterceptor is loading:
SECJ0121I: Trust Association Init class com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor loaded successfully
but the version is null:
SECJ0122I: Trust Association Init Interceptor signature:
After setting it all up as above, when I go to the URL it just shows:
Error 403: AuthenticationFailed
And the log has errors about a missing cookie:
SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWWSS8017E: Authentication Error: Single-Sign-on cookie is not present or could not be verified. Please login to the SAML Identity Provider, and try again.
It's like it's never "intercepted" to be passed. Just fails. No network traffic goes to the AD server
When going to the URL it should redirect me to the MS Login and then back to the app, but it's not
It sounds like you might be missing an sso_1.sp.login.error.page property definition. Without that property, the expectation is that the user will be going to the IdP to initiate the sign on; if you define the property and set its value to your IdP's login page, then the 403 you're getting (as a result of being unauthenticated) will end up redirecting you over to the IdP to initiate the sign on process from there.
More info here in the "bookmark style" description: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/cwbs_samlssosummary.html

Can't create azure blob container on storage emulator

I'm unable to create a container while using Azure Storage Emulator from my c# .NET code.
I am using:
var container = serviceClient.GetContainerReference("media");
container.CreateIfNotExists();`
It return the error Error:
System.AggregateException: One or more errors occurred. ---> Microsoft.WindowsAzure.Storage.StorageException: The remote server returned an error: (403) Forbidden. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
Add the following line:
request.UseDefaultCredentials = true;
This will let the application use the credentials of the logged in user to access the site. If it's returning 403, clearly it's expecting authentication.
It's also possible that you (now?) have an authenticating proxy in between you and the remote site. In which case, try:
request.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;
You could set a connection string to the storage emulator in an app.config:
<appSettings>
<add key="StorageConnectionString" value="UseDevelopmentStorage=true" />
</appSettings>
If you want to connect to storage emulator using account name and key, you would need to provide additional details like different endpoints.
var connectionString = #"DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;
AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;
BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;
TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;
QueueEndpoint=http://127.0.0.1:10001/devstoreaccount1;";
This value is identical to the shortcut shown above, UseDevelopmentStorage=true.

IDX10803 and IDX10804 error with Azure AD

I have created a Web API in ASP.NET Core 2 and it is secured with Azure AD. The requests work fine in my dev environment. However when I publish the API to IIS and pass in a Authorization header in request I am getting these error:
fail: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]
Exception occurred while processing message.
System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://login.microsoftonline.com/xxxx/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://login.microsoftonline.com/xxxx/.well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: A connection with the server could not be established
What am I doing wrong? I can browse the url in browser successfully.
I figured it out. It was because of a proxy setting to access the internet. Since ASP.NET Core does not pick up proxy setting from system.net area of web.config, the ideal solution was to create a middle ware to act as proxy.
I was running short of time. So I created a new user and logged on server with that new user and configured the proxy settings in Internet Explorer options. Then I configured the App Pool in IIS to run under that user's identity. Problem solved!
The correct answer is to add a proxy to the metadata request that ADAL makes using BackchannelHttpHandler. You can do it like this:
public void Configure(string name, JwtBearerOptions options)
{
options.BackchannelHttpHandler = new HttpClientHandler
{
UseProxy = true,
Proxy = new WebProxy
{
Address = new Uri($"{appSettings.InternetProxyUrl}:{appSettings.InternetProxyPort}"),
UseDefaultCredentials = true
}
};
}

Resources