Mandal Amit
Recently we have run into some problem with our Web App integration with Azure AD B2C using Graph API.
We believe the problem has something to do with the SSL/TLS certificate on one or more of Azure AD Graph API endpoint (on https://login.microsoftonline.com)
The problem seems to start in early July (seems like to align with the SSL3 obsolete timeline of June 30, 2018).
Before hand, our code works fine with integration with Azure AD B2C over Graph API using the Azure Active Directory Authentication Library (ADAL) .net.
Now, it seems like there are some random issue with the ADAL authentication context’s AcquireTokenAsync() call to throw the following exception:
2018-07-24T13:08:44 PID[6124] Information RemoteCertificateValidationCallback(F3B414056D8FB86D98FB6F282D8F451F0A87BA40, None)
2018-07-24T13:08:44 PID[6124] Error AzureADRequest Error: System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An
error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper.<GetResponseAsync>d__31.MoveNext()
The issue doesn’t happen all the time. It can be working fine for a while then it doesn’t work for maybe 15-30 min, then after restarting the web app there’s a chance that it’s back to normal for a while.
It seems like the one (or more) authentication servers on login.microsoftonline.com has a bad SSL/TLS certificate.
According to diagnostics trace, It seems like the failing certificate have the thumbprint of F3B414056D8FB86D98FB6F282D8F451F0A87BA40.
When the integration is working, we got the following log
2018-07-20T18:05:02 PID[6124] Information RemoteCertificateValidationCallback(D4444B60F628539C586F1AACE0AAA71F7AD8F726, None)
So it seems like that the Azure site can trust one certificate (D4444B60F628539C586F1AACE0AAA71F7AD8F726) from Azure AD but not the other (F3B414056D8FB86D98FB6F282D8F451F0A87BA40).
Furthermore, when we try to connect using our local dev environment, using either a console app test or unit test, we can get the token properly all the time. So we are not sure whether this is related to either Azure App Service or specific Data Center/Location,
etc.
We also tried to override the ServerCertificateValidationCallback by attaching to ServicePointManager.ServerCertificateValidationCallback, but it's never being called. (seems like the ADAL library is doing its own thing.)
Any help would be appreciated!
I have a Windows 7 64bit workstation and I am trying to install AAD PowerShell module.
I have a PowerShell window opened with elevated privileges and I ran the following command: Install-Module -Name AzureAD
I get the following errors. Help!
WARNING: Unable to download from URI 'https://oneget.org/nuget-2.8.5.208.package.swidtag' to ''.Just installed ADconnect and the Health service isn't working. HTTP proxies are defined and we have connectivity - the PS command to test connectivity gets past that part. It errors out during "Step 2 - blob data upload":
PS C:\Windows\system32> Test-AzureADConnectHealthConnectivity -Role Sync -ShowResult
Test-AzureADConnectHealthConnectivity's execution in details are as follows:
Starting Test-AzureADConnectHealthConnectivity ...
Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ...
AAD CDN connectivity is skipped.
Connecting to endpoint https://login.microsoftonline.com
Endpoint validation for https://login.microsoftonline.com is Successful.
Connecting to endpoint https://login.windows.net
Endpoint validation for https://login.windows.net is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful.
Connectivity Test Step 1 of 3 - Testing dependent service endpoints completed successfully.
Connectivity Test Step 2 of 3 - Blob data upload procedure begins ...
Unhandled exception occurred: System.Security.Cryptography.CryptographicException: The parameter is incorrect.
at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.LoadIdentityInfo()
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProced
ure()
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.ProcessRecord()
Anybody ever seen that before?
I am trying to integrate SCIM support for Azure AD into an existing web application. At the moment I struggle with several points.
{"op": "Replace","path": "userName","value": [
{"$ref": null,"value": "blubb2@mysignavio.onmicrosoft.com"
}
]
} This is in contrast to the SCIM specification.{"op": "Add","path": "name.formatted","value": [
{"$ref": null,"value": "Blubb Blabb"
}
]
}Hi,
I am developing a .NET Windows Application and I am trying to integrate Active Directory using ADAL library. We don't want to use storage/container key. I ran into the following two issues. I registered the app as Native App in Azure Active Directory
1. I keep getting the error AADSTS65001: The user or administrator has not consented to use the application with ID 'a87d3d9f-<g class="gr_ gr_447 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="447" id="447">cbdc</g>-465d-aa8d-d506ebec064b' named 'Test1'.
a. I am a global administrator for my AD I granted the permission(global consent) for this app but that didn't <g class="gr_ gr_914 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="914" id="914">help</g>
<g class="gr_ gr_914 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="914" id="914"> b</g>. I also manually consented that also didn't' help.
c. Set the oauth2AllowImplicitFlow to true in the manifest for test1 app
Here is the code
string authority = string.Format(CultureInfo.InvariantCulture, AuthEndpoint, TenantId);var authContext = new AuthenticationContext(authority);var userCredential = new UserPasswordCredential("user@domain.com", "password");// Acquire an access token from Azure AD. var result = authContext.AcquireTokenAsync(ResourceId, ClientId, userCredential).Result;
2. Above is trying to connect with an explicit windows username and password and our ultimate goal is to use the logged-in user and I have been told(google) it should be possible if I am using Active directory but I am getting the following error.
{"password_required_for_managed_user: Password is required for managed user"}
Here is the code.
string authority = string.Format(CultureInfo.InvariantCulture, AuthEndpoint, TenantId);var authContext = new AuthenticationContext(authority);var userCredential = new UserCredential();// Acquire an access token from Azure AD. var result = authContext.AcquireTokenAsync(ResourceId, ClientId, userCredential).Result;
Could you guys help us to resolve?
We have customers trying to log in (Via Azure B2B) to our app, but when they haven't been invited yet they get an error message when choosing an account to log in as:
"Selected user account does not exist in tenant 'OUR AZURE B2B' and cannot access the application 'APPLICATION GUID' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
The problem with this message is an end user has no idea what 'OUR AZURE B2B' is or what the application guid means. Is it possible to create a more user friendly message? Even if we were able to just replace the application guid with the application name it would be helpful.
Hello all.
I'm trying AAD and want to add my domain name. I wrote my domain and added DNS records. But Azure cant't verify my domain name.
I replaced origin domain resistrator service to Azure DNS Zone and added records.
I check DNS records with Dig and found needed records.
But I have error on verification domain name in AAD.
Level of Subscription - Free trial.
Hi there,
We have Azure Active Directory & Azure AD Domain Services configured. Everything works great.
Back in May I enabled secure ldap for testing purposes without issues!
Now I am attempting to enable secure ldap again with the same certificate and I receive a "Write Domain Service Failed" message in the Activity log.
Json error:
And YES, I have followed every guide, troubleshooting guide, etc. All NSG rules are setup as described in the guides. The certificate is selfsigned.
As mentioned, this certificate worked back in May and no it has not expired. I also tried with a new certificate created the same way.
Because no detailed error is shown I have no chance to find out what is wrong.
Please help asap.
We have a web-app apache application that needs direct ldap connection over the internet.
Automation
My boss has told me to migrate our Internal Domain to AZURE and would like me to setup 2 Domain Controllers as VM's within the Azure cloud.
I tried to argue the idea of: On Prem Domain controllers AND Azure. He has rejected that notion and 'wants' the DC's in AZURE as VM's.
We are ALSO updating all workstations to Windows 10.
Exchange has been retired and we've since migrated to Gmail and Google Docs, and our legacy software is being retired and replaced with "SAS" in around 1 month.
Am I just crazy thinking here.. or could we 'essentially' just use AZURE AD and allow Win 10 clients to authenticate through that?
The only servers that are going to be on prem any longer (by present demands) are a simple file share and a print server.
In AZURE, the plan is a SQL server, and SCCM. Other than that, most of our other services are cloud based.
Does anyone have experience with Windows 10 and Azure authentication? Is that a viable strategy for a small business of 100 users?
Opinions and experiences welcomed.
Hi,
I am trying to use the Wufoo plugin in AD to log into Wufoo using my organization's credentials. After adding the Wufoo app to the Enterprise applications the option for SAML based sign in is missing in the SSO configuration but I am able to see password based sign on and linked sign on. Does this plug-in not offer that option? Or is there another way I can integrate Wufoo with my organization's AD and log-in using organization credentials?
Thanks and any help would be appreciated.
Hi!
I have a microservice with AAD authentication. My service is located on AKS.Have moved it to ASP.NET Core 2.1 and now using
app.UseHsts();and
app.UseHttpsRedirection();
Currently when I am log in I can see "redirect_uri=http%3A%2F%2Fmycustomname-ingress.westeurope.cloudapp.azure.com"
And I am a little bit stuck on changing this http to https.
Hi all,
we have this project and I was wondering how to do the setup:
1. we have an application (actually, a Remote Desktop Gateway that allows users to have RDP access to different servers, entire infrastructure in Azure)
2. the users allowed to access RDGateway are stored in Active Directory "on-premises" (an AD DS installed on an Azure VM)
3. we have synced (with Azure AD Connect) this AD with Azure AD
4. our customers (that access the services through RDGateway) are asking for SSO (basically, they want to use the users in their domains to have access to the services we offer)
The question is: how do we connect our Azure AD with out customer's ADFS in order to obtain SSO?
Thank you,
Sorin
Hi,
I've added some external users to my Azure AD - users from another organisation.
When they click on the invitation link, they all receive an error message -
"This tenant does not allow email verified users to be added due to an admin-defined policy."
Any idea how I can fix this?
Thanks
Hi I have issue with haveing MFA working with our onpremise rds enviroment 2016 server.
I have installed:
Azure MFA server
Azure AD Connect
Configured MFA provider authentication based billing
NPSextension is installed on domain controller
Enabled MFA auth on AD object
Now when I login to RDS login fails and I receive a OTP SMS code for 2FA.
This error is generated on the server where the NPS extension is installed:
###########################################
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: mydomain\test1
Account Name: mydomain\test1
Account Domain: mydomain
Fully Qualified Account Name: mydomain.com/Companies/test1
Client Machine:
Security ID: NULL SID
Account Name: PC1
Fully Qualified Account Name: -
Called Station Identifier: UserAuthType:PW
Calling Station Identifier: -
NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -
RADIUS Client:
Client Friendly Name: RDSGateway
Client IP Address: 192.168.100.12
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: RDG_CAP
Authentication Provider: Windows
Authentication Server: LAB-DC1.mydomain.com
Authentication Type: Extension
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 21
Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.
####################################################
Hi
I am setting up a new 2016 server and attempting to use Azure AD Connect to simplify the sign in process for users. When following the wizard I was strongly recommended to use the CUSTOM option because i don't have a routable domain.
I can successfully log into the web portal with the same credentials but get the message Unable to Validate Credentials. An unexpected error has occurred.
I am not currently using a proxy so haven't altered machine.config but it did test correctly when I attempted to verify the proxy using PowerShell as described.
Any suggestions?
Thanks in advance
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications#email-subject-line
We have a customer who wants to customize the content of the emails. Thoughts?