Getting "We couldn't sign you in" error after signing into .NET Core web app using Azure authentication

Question

Getting "We couldn't sign you in" error after signing into .NET Core web app using Azure authentication

Ron Raney 5

I'm trying to retrofit Azure authentication into a .NET Core v8 web application.

I'm using this tutorial: https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-web-app-dotnet-call-api?tabs=visual-studio%2Cdotnet6

I have an application set up in Entra. I've done everything in the tutorial but I'm not sure how to add the Index.html.cs code to an existing Home controller which is the default landing page. I'm guessing this could be part of the problem, but perhaps there is a network or configuration issue.

I've gone through this tutorial over 20 times trying to get it to work. I get different results in localhost and our test server. What's important is getting it to work on a real server.

When I go to our app URL, it brings up the "login.microsoftonline.com" Sign in for our organization. I am asked to sign in. Once I enter password (and bypass Stay signed in), it appears to go into a loop for about 10 seconds then it shows the "Pick an account" prompt. It shows that I'm signed in, but it says, "We couldn't sign you in. Please try again".

Ron Raney 5 Reputation points

2024-11-01T20:37:27.8033333+00:00

Removed image with personal email shown
Ron Raney 5 Reputation points

2024-11-01T20:38:10.7433333+00:00

Removed image with personal email shown
Anonymous

2024-11-05T08:45:07.0766667+00:00

Hi @Ron Raney,

Please let me know the format of your email, is it like ******@abc.onmicrosoft.com ?

Or you are using outlook or gmail and so on. If you are not using .onmicrosoft.com email, please contact your Administrator and let him create a new account for you. Then test again.

Best Regards

Jason
Ron Raney 5 Reputation points

2024-11-05T14:43:52.5733333+00:00

I am using an email created by our organization for my employee account in Azure using our domain. It's not a Microsoft account.
Ron Raney 5 Reputation points

2024-11-05T14:45:05.75+00:00

I am using an organization email with our domain name which is all done in Azure. It's not a microsoft email address.
Ron Raney 5 Reputation points

2024-11-05T14:49:47.4133333+00:00

I looked at the Network tab in Console Tools while trying to authenticate. It keeps flipping back and forth between 302 and 200 status, between authorize and sign-oidc. It "signs me in" to Azure, but doesn't allow me to see the web app. I have this working locally, but on the production/staging server, it's not working. I'm using IIS Express locally and IIS in production.
Ron Raney 5 Reputation points

2024-11-05T19:24:48.55+00:00

Program.cs

using Example.Models; using Example2.Models;

using Microsoft.EntityFrameworkCore;

// <ms_docref_import_types>

using Microsoft.AspNetCore.Authorization;

using Microsoft.AspNetCore.Mvc.Authorization;

using Microsoft.Identity.Web;

using Microsoft.Identity.Web.UI;

// </ms_docref_import_types>

var builder = WebApplication.CreateBuilder(args);

IEnumerable<string>? initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');

builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration, "AzureAd") .EnableTokenAcquisitionToCallDownstreamApi(initialScopes) .AddDownstreamApi("DownstreamApi", builder.Configuration.GetSection("DownstreamApi")) .AddInMemoryTokenCaches();

// </ms_docref_add_msal>

// Add services to the container.

builder.Services.AddControllersWithViews();

builder.Services.AddDbContext<Test_RRContext>(options => options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));

builder.Services.AddDbContext<lansweeperdbContext>(options => options.UseSqlServer(builder.Configuration.GetConnectionString("LSConnection")));

builder.Services.AddRazorPages().AddMvcOptions(options =>

{ var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); options.Filters.Add(new AuthorizeFilter(policy));

}).AddMicrosoftIdentityUI();

// </ms_docref_add_default_controller_for_sign-in-out>

var app = builder.Build();

// Configure the HTTP request pipeline.

if (!app.Environment.IsDevelopment())

//if (app.Environment.IsDevelopment())

{ app.UseExceptionHandler("/Home/Error"); // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. app.UseHsts();

}

app.UseHttpsRedirection();

app.UseStaticFiles();

app.UseRouting();

app.UseAuthentication();

app.UseAuthorization();

app.MapRazorPages();

app.MapControllers();

app.MapControllerRoute( name: "default", pattern: "{controller=Home}/{action=Index}");

app.Run();
Ron Raney 5 Reputation points

2024-11-06T17:18:16.3+00:00

I'm using a certificate for the credentials. In localhost, this certificate is sitting in the project folder. When I deploy to the server, I assumed .NET would just "handle" this certificate. I don't see that file on the server. I'm wondering if I'm supposed to create the certificate on the server somehow then use that or simply add it to the root folder on the server. This wasn't explained in the tutorial. It was all localhost in the tutorial.
Ron Raney 5 Reputation points

2024-11-06T17:20:07.74+00:00

I'm wondering about the certificate. Locally, it's just sitting in the project folder. I assume when I publish the app to the server (IIS) .NET just "takes care of it". I haven't done anything at all regarding the certificate on the server. The tutorial didn't get into publishing. Maybe I'm missing a step.

3 answers

Your answer

Ron Raney 5 Reputation points

2024-11-01T20:37:27.8033333+00:00

Removed image with personal email shown
Ron Raney 5 Reputation points

2024-11-01T20:38:10.7433333+00:00

Removed image with personal email shown
Anonymous

2024-11-05T08:45:07.0766667+00:00

Hi @Ron Raney,

Please let me know the format of your email, is it like ******@abc.onmicrosoft.com ?

Or you are using outlook or gmail and so on. If you are not using .onmicrosoft.com email, please contact your Administrator and let him create a new account for you. Then test again.

Best Regards

Jason
Ron Raney 5 Reputation points

2024-11-05T14:43:52.5733333+00:00

I am using an email created by our organization for my employee account in Azure using our domain. It's not a Microsoft account.
Ron Raney 5 Reputation points

2024-11-05T14:45:05.75+00:00

I am using an organization email with our domain name which is all done in Azure. It's not a microsoft email address.
Ron Raney 5 Reputation points

2024-11-05T14:49:47.4133333+00:00

I looked at the Network tab in Console Tools while trying to authenticate. It keeps flipping back and forth between 302 and 200 status, between authorize and sign-oidc. It "signs me in" to Azure, but doesn't allow me to see the web app. I have this working locally, but on the production/staging server, it's not working. I'm using IIS Express locally and IIS in production.
Ron Raney 5 Reputation points

2024-11-06T17:18:16.3+00:00

I'm using a certificate for the credentials. In localhost, this certificate is sitting in the project folder. When I deploy to the server, I assumed .NET would just "handle" this certificate. I don't see that file on the server. I'm wondering if I'm supposed to create the certificate on the server somehow then use that or simply add it to the root folder on the server. This wasn't explained in the tutorial. It was all localhost in the tutorial.
Ron Raney 5 Reputation points

2024-11-06T17:20:07.74+00:00

I'm wondering about the certificate. Locally, it's just sitting in the project folder. I assume when I publish the app to the server (IIS) .NET just "takes care of it". I haven't done anything at all regarding the certificate on the server. The tutorial didn't get into publishing. Maybe I'm missing a step.

Answer 1

It sounds like you're encountering a common issue related to Azure authentication in your .NET Core application. The "We couldn't sign you in" error can often be attributed to misconfigurations in your application or the Azure AD setup. Here are some troubleshooting steps you can take:

Check Configuration: Ensure that your application settings in Azure AD (like the Redirect URI, Client ID, and Tenant ID) match exactly with what you have in your application. Any mismatch can lead to authentication failures.
Review Logs: Enable detailed logging in your application to capture any errors during the authentication process. This can provide insights into what might be going wrong.
Network Issues: Since you mentioned different results on localhost versus your test server, ensure that the server is correctly configured to allow traffic to and from Azure AD. Check firewall settings and network configurations.
Inspect the Authentication Flow: Use browser developer tools to inspect network requests during the authentication process. Look for any failed requests or error messages that might indicate what is causing the loop or failure.
Application Manifest: If you are using Microsoft Entra ID, ensure that the application manifest is correctly configured to allow public clients if necessary. This can be a common source of issues.
Consult Documentation: Since you are following a tutorial, double-check each step to ensure nothing was missed, especially regarding the integration of the Index.html.cs code into your existing Home controller.

If you continue to experience issues, consider reaching out to community forums like Stack Overflow or the ASP.NET Core Slack Team for additional support.

References:

Answer 2

Bruce (SqlWork.com) 78,311 Volunteer Moderator

it sounds like the web app can not validate the code sent to the reply url. check that the web server has access to the azure oauth server. you may need to change firewall rules. also if the production server is a web farm, you will need to configure data protection services for a farm support.

Ron Raney 5

We confirmed that there are no firewall SSL decryption problems. I don't know how to check that the server has access to the Azure oauth server. We are using the generic https://login.microsoftonline.com endpoint. We have "Allow public client flows" turned off because I don't want this to be public, but maybe that's not what that means. I have no tokens selected.

Full manifest

{
	"id": "xxx",
	"deletedDateTime": null,
	"appId": "xxx",
	"applicationTemplateId": null,
	"disabledByMicrosoftStatus": null,
	"createdDateTime": "2024-11-04T16:05:09Z",
	"displayName": "Example App",
	"description": null,
	"groupMembershipClaims": null,
	"identifierUris": [],
	"isDeviceOnlyAuthSupported": null,
	"isFallbackPublicClient": null,
	"nativeAuthenticationApisEnabled": null,
	"notes": null,
	"publisherDomain": "example.com",
	"serviceManagementReference": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [],
	"tokenEncryptionKeyId": null,
	"samlMetadataUrl": null,
	"defaultRedirectUri": null,
	"certification": null,
	"optionalClaims": null,
	"requestSignatureVerification": null,
	"addIns": [],
	"api": {
		"acceptMappedClaims": null,
		"knownClientApplications": [],
		"requestedAccessTokenVersion": null,
		"oauth2PermissionScopes": [],
		"preAuthorizedApplications": []
	},
	"appRoles": [],
	"info": {
		"logoUrl": null,
		"marketingUrl": null,
		"privacyStatementUrl": null,
		"supportUrl": null,
		"termsOfServiceUrl": null
	},
	"keyCredentials": [
		{
			"customKeyIdentifier": "xyz",
			"displayName": "CN=localhost",
			"endDateTime": "2025-11-01T13:28:20Z",
			"key": null,
			"keyId": "xyz",
			"startDateTime": "2024-11-01T13:28:20Z",
			"type": "AsymmetricX509Cert",
			"usage": "Verify"
		}
	],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	},
	"passwordCredentials": [
		{
			"customKeyIdentifier": null,
			"displayName": "Password uploaded on Mon Nov 04 2024",
			"endDateTime": "2025-05-03T15:17:29.559Z",
			"hint": "Za3",
			"keyId": "xyz",
			"secretText": null,
			"startDateTime": "2024-11-04T16:17:29.559Z"
		}
	],
	"publicClient": {
		"redirectUris": []
	},
	"requiredResourceAccess": [
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "xyz",
					"type": "Scope"
				}
			]
		}
	],
	"verifiedPublisher": {
		"displayName": null,
		"verifiedPublisherId": null,
		"addedDateTime": null
	},
	"web": {
		"homePageUrl": null,
		"logoutUrl": "https://example:30443/home",
		"redirectUris": [
			"https://example:30443/signin-oidc",
			"https://localhost:44398/signin-oidc"
		],
		"implicitGrantSettings": {
			"enableAccessTokenIssuance": false,
			"enableIdTokenIssuance": false
		},
		"redirectUriSettings": [
			{
				"uri": "https://example:30443/signin-oidc",
				"index": null
			},
			{
				"uri": "https://localhost:44398/signin-oidc",
				"index": null
			}
		]
	},
	"servicePrincipalLockConfiguration": {
		"isEnabled": true,
		"allProperties": true,
		"credentialsWithUsageVerify": true,
		"credentialsWithUsageSign": true,
		"identifierUris": false,
		"tokenEncryptionKeyId": true
	},
	"spa": {
		"redirectUris": []
	}
}

Ron Raney 5

appsettings.json

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "xxx",
    "ClientId": "xxx",
    "ClientSecret": "xxx",
    "ClientCertificates": [
      {
        "SourceType": "StoreWithThumbprint",
        "CertificateStorePath": "CurrentUser/My",
        "CertificateThumbprint": "x"
      }
    ],
    "CallbackPath": "/signin-oidc"
  },
  "DownstreamApi": {
    "BaseUrl": "https://graph.microsoft.com/v1.0/",
    "RelativePath": "me",
    "Scopes": [
      "user.read"
    ]
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  
}

Bruce (SqlWork.com) 78,311 Reputation points Volunteer Moderator

2024-11-05T21:09:58.6966667+00:00

you should logon to your prod server, and hit the 2 urls:

https://login.microsoftonline.com/

https://graph.microsoft.com/v1.0/

be sure the reply urls are correct in the manifest, and the redirect to azure login (check the url). normally you'd get an error if wrong.

you can also install a chrome oauth tracer, which may help.

you mentioned a blazor link. oauth is handled by a razor page library, that create a cookie and redirects to the Blazor host page.. the blazer host page reads the cookie and and set the user in the http context. this context is then passed to the Blazor app. if this is not configured correctly, the Blazor app will redirect to the razor page login.

you could add an authenticated razor page to the website, to test just the azure authentication.

Answer 3

Anonymous

Hi @Ron Raney,

Thanks for your patience, I have test it in my local and reproduce the same issue.

After checking the error message in output window, we found the issue is related to permission. Here is my error message.

The user or administrator has not consented to use the application with ID '63f****-7**2-4**d-a**0-60*****8dbbc' named 'identity-client-web-app'. Send an interactive authorization request for this user and resource.

Then I grant admin consent like below, and it starts to work. If you don't have the admin permission, you can contact your administrator help you.

User's image

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,

Jason

Ron Raney 5 Reputation points

2024-11-06T16:59:15.7766667+00:00

The app registration was allowed. Again, this app works locally in localhost and not on the server. Neither would work if it was a permissions issue like this.

The best additional clue I have is by looking at event logs on the server. There are a lot of entries where some process is passing an invalid "secret id". I'm wondering if the certificate doesn't get passed to the right location when publishing the app.

Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '0f1d4-93c4--a-1a771f36571d'. Trace ID: 1d218547-c6f7-43e4-*-fc77***d700

Here's a trace related to this

Timestamp: 2024-11-06 15:29:07Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext) at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T] at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T] at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger) at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger) at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(IDictionary2 additionalBodyParameters, CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.ConfidentialAuthCodeRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext() --- End of stack trace from previous location --- at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func1 codeBlock) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenByAuthorizationCodeParameters authorizationCodeParameters, CancellationToken cancellationToken) at Microsoft.Identity.Web.TokenAcquisition.AddAccountToCacheFromAuthorizationCodeAsync(AuthCodeRedemptionParameters authCodeRedemptionParameters) at Microsoft.Identity.Web.TokenAcquisitionAspNetCore.AddAccountToCacheFromAuthorizationCodeAsync(AuthorizationCodeReceivedContext context, IEnumerable1 scopes, String authenticationScheme) at Microsoft.Identity.Web.MicrosoftIdentityWebAppAuthenticationBuilder.<>c__DisplayClass11_1.<<WebAppCallsWebApiImplementation>b__1>d.MoveNext() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RunAuthorizationCodeReceivedEventAsync(OpenIdConnectMessage authorizationResponse, ClaimsPrincipal user, AuthenticationProperties properties, JwtSecurityToken jwt) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync() StatusCode: 401 ResponseBody: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '0f1d-93c4-4669-aeb9-1a771f36571d'. Trace ID: 1d218547--43e4-8ebc-fc77a501d700 Correlation ID: d4c7d6bb-8103-4492-8737-71dfa61ab10f Timestamp: 2024-11-06 15:29:07Z","error_codes":[7000215],"timestamp":"2024-11-06 15:29:07Z","trace_id":"1d218547-c6f7-43e4-8ebc-fc77a501d700","correlation_id":"d4c7d6bb-8103-4492-8737-71dfa61ab10f","error_uri":"https://login.microsoftonline.com/error?code=7000215"} Headers: Cache-Control: no-store, no-cache Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" client-request-id: d4c7-8103-4492-8737-71dfa61ab10f x-ms-request-id: 1d218547-c6f7-43e4-8ebc-fc77a501d700 x-ms-ests-server: 2.1.19343.4 - SCUS ProdSlices x-ms-clitelem: 1,7000215,0,, x-ms-srs: 1.P X-XSS-Protection: 0 Set-Cookie: fpc=Al6ohu4BS2hPglmS5LdIfFn**EKCvd4OAAAA; expires=Fri, 06-Dec-2024 15:29:07 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; httponly Date: Wed, 06 Nov 2024 15:29:06 GMT
Anonymous

2024-11-08T06:06:16.6933333+00:00

Hi @Ron Raney,

Please try to reset the client secret keys in the Azure portal, and let me know if it can fix AADSTS7000215 error or not.

Thanks for your patience.

Best Regards

Jason
Anonymous

2024-12-09T01:31:31.2866667+00:00

Hi @Ron Raney,

Please kindly check this thread, hope it can inspire you.

Issues Deploying Blazor Server App with Azure Authentication

Best Regards

Jason

Share via

Getting "We couldn't sign you in" error after signing into .NET Core web app using Azure authentication

3 answers

Your answer