2-740: Cloud Authentication Troubleshooting and Recipes for Developers

Learn how to recognize and understand errors related to authentication problems in the cloud. This presentation wraps the most common issues developers typically might face when trying to wire their applications for authentication against Azure Active Directory and shows the paths to understand, diagnose and fix them. We will cover some basic concepts and recipes for enabling different scenarios to work with our cloud identity platform and discuss how to diagnose/fix problems when your application isn’t behaving as expected.

1.0x

2-740: Cloud Authentication Troubleshooting and Recipes for Developers

Created 2 years ago

Duration 1:06:23
lesson view count 334
Learn how to recognize and understand errors related to authentication problems in the cloud. This presentation wraps the most common issues developers typically might face when trying to wire their applications for authentication against Azure Active Directory and shows the paths to understand, diagnose and fix them. We will cover some basic concepts and recipes for enabling different scenarios to work with our cloud identity platform and discuss how to diagnose/fix problems when your application isn’t behaving as expected.
Select the file type you wish to download
Slide Content
  1. Mat Velloso

    Slide 1 - Mat Velloso

    • Senior SDE
    • Cloud authentication troubleshooting and recipes for developers
    • @matvelloso
    • Cloud Identity: Troubleshooting and recipes for devs
    • 2-740
  2. Basic concepts

    Slide 2 - Basic concepts

    • Level 1 FAQs – “Where am I?”
    • Level 2 FAQs – “How do I...”
    • Level 3 FAQs – Troubleshooting
    • Level 4 FAQs – Advanced troubleshooting
    • Agenda
  3. A brief history of how we authenticate users…

    Slide 3 - A brief history of how we authenticate users…

  4. string username = textbox1.Text;

    Slide 6 - string username = textbox1.Text;

    • string password = textbox2.Text;
  5. string username = textbox1.Text;

    Slide 7 - string username = textbox1.Text;

    • string password = textbox2.Text;
  6. You never send your password via email.So you should never type your password in some custom application’s textbox for the same reason.

    Slide 12 - You never send your password via email.So you should never type your password in some custom application’s textbox for the same reason.

  7. Most of what happens behind the scenes is a series of HTTP calls/redirects. It is that simple, honestly

    Slide 13 - Most of what happens behind the scenes is a series of HTTP calls/redirects. It is that simple, honestly

    • Most likely what is broken is a missing/wrong parameter in these HTTP requests
    • There are very few parameters you really need to understand/verify
    • Fiddler and Browser dev tools are your best friends
    • Careful when sending your Fiddler logs! (your password might be there too!)
    • Key things to keep in mind when troubleshooting
  8. Let’s troubleshoot/figure out some auth

    Slide 14 - Let’s troubleshoot/figure out some auth

  9. Level 1 – Where am I? Go!

    Slide 15 - Level 1 – Where am I? Go!

  10. Where I find good sample codes for applications that work with Azure AD?

    Slide 16 - Where I find good sample codes for applications that work with Azure AD?

  11. Where I find good sample codes for applications that work with Azure AD?https://github.com/azureadsamples

    Slide 17 - Where I find good sample codes for applications that work with Azure AD?https://github.com/azureadsamples

  12. How do I link my Office 365 directory to Azure AD?

    Slide 18 - How do I link my Office 365 directory to Azure AD?

  13. 1-Log on to the portal with a Microsoft Account2-Go to Azure AD, click add new directory

    Slide 19 - 1-Log on to the portal with a Microsoft Account2-Go to Azure AD, click add new directory

  14. 3-Select use existing directory

    Slide 20 - 3-Select use existing directory

  15. 4-You will be prompted to log off and then back on with that directory’s admin account.Done!

    Slide 21 - 4-You will be prompted to log off and then back on with that directory’s admin account.Done!

  16. Level 2 – How do I…? Go!

    Slide 22 - Level 2 – How do I…? Go!

  17. Need to build a background task that can access all calendars in my organization’s Exchange Online

    Slide 23 - Need to build a background task that can access all calendars in my organization’s Exchange Online

  18. Application is given special privileges to access a collection of resources in Exchange online within a given organization

    Slide 24 - Application is given special privileges to access a collection of resources in Exchange online within a given organization

    • http://aka.ms/exchangeclientcredential
  19. Which library should I use to authenticate XYZ with Azure AD?

    Slide 25 - Which library should I use to authenticate XYZ with Azure AD?

  20. ADAL (Active Directory Authentication Library): For clients (iOS, Android, Windows, JavaScript) authenticating and acquiring tokens

    Slide 26 - ADAL (Active Directory Authentication Library): For clients (iOS, Android, Windows, JavaScript) authenticating and acquiring tokens

    • OWIN: For ASP .NET services/web applications authenticating and validating tokens
    • And for everything beyond:
    • Look for libraries that support our standard protocols in whatever platform you’re on: http://aka.ms/aadauthprotocols
    • And again, look at the code samples: https://github.com/azureadsamples
  21. Need to write an automated test in a Console app. How do I authenticate without a UI?

    Slide 27 - Need to write an automated test in a Console app. How do I authenticate without a UI?

  22. “Headless auth”:

    Slide 28 - “Headless auth”:

    • var credential = new UserCredential("username","password");
    • result = context.AcquireToken("resource","client ID", credential);
    • Sample:
    • https://github.com/AzureADSamples/NativeClient-Headless-DotNet
    • Note: Do NOT use this for authenticating users with a custom UI using textboxes! Remember what we discussed earlier.
  23. Level 3 - Troubleshooting Go!

    Slide 29 - Level 3 - Troubleshooting Go!

  24. Scenario 1: AADSTS50011

    Slide 30 - Scenario 1: AADSTS50011

  25. Scenario 1: AADSTS50011

    Slide 31 - Scenario 1: AADSTS50011

    • Reason: You are asking for reply URL = http://XYZ but your reply URL configuration doesn’t have that:
  26. Scenario 2: 404 after login

    Slide 32 - Scenario 2: 404 after login

  27. Scenario 2: 404 after login

    Slide 33 - Scenario 2: 404 after login

    • Reason: Logon is working, but you asked to redirect to a non existing page:
  28. Scenario 3: 50011 on a native app

    Slide 34 - Scenario 3: 50011 on a native app

  29. Scenario 3: 50011 on a native app

    Slide 35 - Scenario 3: 50011 on a native app

    • Reason: You created a web app instead of a native app:
    • X
  30. Scenario 4: 50001 on acquiring access token

    Slide 36 - Scenario 4: 50001 on acquiring access token

  31. Scenario 4: 50001 on acquiring access token

    Slide 37 - Scenario 4: 50001 on acquiring access token

    • Reason: You tried to acquire a token for something that doesn’t exist in your tenant
    • This tenant is not associated with SharePoint online.
  32. Scenario 5: 65005 on acquiring access token

    Slide 38 - Scenario 5: 65005 on acquiring access token

  33. Scenario 5: 65005 on acquiring access token

    Slide 39 - Scenario 5: 65005 on acquiring access token

    • Reason: You tried to acquire a token for resource your app isn’t configured to access
  34. Scenario 6: ADSTS50001 a Resource identifier is not provided.

    Slide 40 - Scenario 6: ADSTS50001 a Resource identifier is not provided.

  35. Reason: You sent a request for an access token with a blank resource ID

    Slide 41 - Reason: You sent a request for an access token with a blank resource ID

    • Scenario 6: ADSTS50001 a Resource identifier is not provided.
    • Most likely cause: You missed a configuration in your Azure website (didn’t carry it from your web.config)
  36. Scenario 7: Can’t recognize username/password

    Slide 42 - Scenario 7: Can’t recognize username/password

  37. Scenario 7: Can’t recognize username/password

    Slide 43 - Scenario 7: Can’t recognize username/password

    • Reason: Your app is in Tenant A, but your user is in Tenant B
    • Dir1
    • Dir2
    • App->
    • <-User
  38. Scenario 8: 70001 during logon

    Slide 44 - Scenario 8: 70001 during logon

  39. Scenario 8: 70001 during logon

    Slide 45 - Scenario 8: 70001 during logon

    • Reason: The client ID doesn’t exist in that tenant
    • Dir1
    • App not found here->
    • Likely causes: Client ID or Tenant ID are wrong
  40. Slide 46

    • Level 4 – Uh!??Go!
  41. Scenario 9: IDX10311IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'

    Slide 47 - Scenario 9: IDX10311IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'

  42. Reason:

    Slide 48 - Reason:

    • IDX10311 happens when we don’t receive an expected cookie from the browser.
    • Likely cause: Your reply URL is sending the browser to somewhere different than where you started.
    • Before login:
    • After login:
    • Scenario 9: IDX10311
  43. Scenario 10: AADSTS70005AADSTS70005 response_type ‘token’ is not supported for the application

    Slide 49 - Scenario 10: AADSTS70005AADSTS70005 response_type ‘token’ is not supported for the application

  44. Scenario 10: AADSTS70005

    Slide 50 - Scenario 10: AADSTS70005

    • Reason: Need to allow OAuth implicit flow in the app manifest:
  45. Scenario 11: The mysterious failed preflight request

    Slide 51 - Scenario 11: The mysterious failed preflight request

  46. Scenario 11: The mysterious failed preflight request

    Slide 52 - Scenario 11: The mysterious failed preflight request

    • Reason: Remove easy auth configuration. It is not intended for CORS/Web APIs scenarios
  47. Scenario 12: The mysterious case of auto logoff

    Slide 53 - Scenario 12: The mysterious case of auto logoff

    • Application sending the user to a logout right after the logon
  48. Scenario 12: The mysterious case of auto logoff

    Slide 54 - Scenario 12: The mysterious case of auto logoff

    • Reason: Wrong application logic – tying the login success event to a logout command
  49. Scenario 13: The mysterious case of rejected audience

    Slide 55 - Scenario 13: The mysterious case of rejected audience

    • All settings are right, but still gets a 401
  50. Scenario 13: The mysterious case of rejected audience

    Slide 56 - Scenario 13: The mysterious case of rejected audience

    • Reason: Code was changed to use client ID as audience
  51. Congrats, you’re all over the cloud now!

    Slide 57 - Congrats, you’re all over the cloud now!

    • Yes, I’d like to OAuth, please!
  52. Sample code: https://github.com/azureadsamples

    Slide 58 - Sample code: https://github.com/azureadsamples

    • Protocols: http://aka.ms/aadauthprotocols
    • Office 365 specific samples: https://github.com/OfficeDev
    • Office 365 dev getting started: http://dev.office.com/getting-started
    • Azure AD Graph REST API: http://aka.ms/azureadgraphapi
    • Office 365 REST API: http://aka.ms/o365rest
    • Resources
  53. Improve your skills by enrolling in our free cloud development courses at the Microsoft Virtual Academy.

    Slide 59 - Improve your skills by enrolling in our free cloud development courses at the Microsoft Virtual Academy.

    • Try Microsoft Azure for free and deploy your first cloud solution in under 5 minutes!
    • Easily build web and mobile apps for any platform with AzureAppService for free.
    • Resources