I have some weird error when trying to set up AD authentication in an old legacy WebForms app. I have upgraded the solution to use .NET Framework 4.8 and installed the nuget packages.
As a last resort I tried creating a new .NET Framework 4.8 WebForms app in VS 2022 and set it up to use AAD authentication. Now this works flawlessly on my local dev machine (I pointed the response URL to be https://localhost:7308 the port assigned).
However if I put the site up on my live server (Windows Server 2019 running IIS) and repoint the response URL for the AAD to point to that one all I get is this error:
Exception type: OpenIdConnectProtocolInvalidNonceException
Exception message: IDX21323: RequireNonce is ‘[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]’.
OpenIdConnectProtocolValidationContext.Nonce was null,
This is the code I have right now (I’ve tried changing the cookie settings)
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
CookieManager = new SystemWebCookieManager(),
CookieSameSite = Microsoft.Owin.SameSiteMode.Lax,
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.Never
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RequireHttpsMetadata = false,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = (context) =>
{
return System.Threading.Tasks.Task.FromResult(0);
},
SecurityTokenValidated = (context) =>
{
string name = context.AuthenticationTicket.Identity.FindFirst("preferred_username").Value;
context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Name, name, string.Empty));
return System.Threading.Tasks.Task.FromResult(0);
}
}
});
I have also tried setting the AuthenticationFailed to
AuthenticationFailed = (context) =>
{
if (context.Exception.Message.Contains("IDX21323"))
{
context.HandleResponse();
context.OwinContext.Authentication.Challenge();
}
return Task.FromResult(true);
},
But that only sends me into a loop where I get the AAD login screen over and over again.
I have one suspicion. The set up we have in our live environment is a HAPRoxy that takes care of routing traffic to the various web servers we have. That one also handles SSL, so all traffic that hit my actual IIS server comes in as plain HTTP traffic. But I have no idea if
- AAD Authentication can work in a setup like that or
- I need to have an actual SSL cert set up on the IIS machine in order to handle this
I’ve tried googling my eyes out for this but so far it’s been to no avail, so then I leave it in the warm hands of the SO community.
Anyone have any ideas regarding this?
2
Answers
The final solution for anyone else stumbling upon this issue was this one: https://learn.microsoft.com/en-us/aspnet/samesite/owin-samesite
Harshitas response is also relevant but might not solve the issue completely.
Iam able to authenticate the Web Forms
.NET 4.8
and able to login without any issues.Make sure you have added the Redirect URI for the deployed App.
My
StartupAuth.cs
:The difference I found in my code is
CookieAuthenticationOptions
(CookieManager, CookieSameSite, CookieHttpOnly, CookieSecure)are not set.
AppSettings in
web.config
:Local Output:
Deployed Azure App Service Output:
Refer this document by globalsign to install SSL Certificate on IIS.