Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
690 questions
Supporting single sign-on behind an application gateway
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 5%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETR%3C/text%3E%3C/svg%3E)
Trevor Richards
5
Reputation points
Hi there,
We're trying to deploy an application that supports single-sign on using Microsoft Accounts. Our application is running locally as expected.
We're now trying to deploy on our Azure architecture. The application runs as an App Service. The App Service sits behind an application gateway on an internal VNet. This is accessible from certain internal networks via a private DNS link (e.g. application-name.azurewebsites.net).
We then are using the Azure Application Gateway / Application firewall for all inbound traffic to this site. We've configured listeners / pools etc. to route the traffic from e.g. application-name.companydomainname.com to application-name.azurewebsites.net. The application / firewall are working as expected.
When we are attempting to do single sign-on, we are receiving the following error message:
SSO Login Error. Error from external provider: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS500112: The reply address 'https://application-name.azurewebsites.net/SsoProvider/office365/signin-oidc' does not match the reply address 'https://application-name.companydomainname.com/SsoProvider/office365/signin-oidc' provided when requesting Authorization code. Trace ID: <omitted> Correlation ID: <omitted> Timestamp: <omitted>.
We understand that this is being caused by the fact that SSO is using the host name of the application running within app services (application-name.azurewebsites.net) but the inbound request is coming in via (application-name.companydomainname.com).
We have tried numerous configurations within our application, but we can't get passed the above message.
Any support would be appreciated,
Thanks,
Trev
Azure DNS
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,079 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,080 questions
Azure Startups
Azure Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.
382 questions
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 33,081 Reputation points Microsoft Employee2024-05-30T10:38:32.9566667+00:00 @Trevor Richards Thank you for reaching out to us, The error message you are receiving indicates that the reply address specified in the authentication request does not match the reply address configured in the Entra ID/Azure AD application registration. This can occur when the application is accessed using a different URL than the one specified in the application registration.
To resolve this issue, you need to update the reply URLs in the Entra ID/Azure AD application registration to include the URL that is being used to access the application.
Let me know if this helps to resolve the above mentioned issue.
-
brtrach-MSFT 16,586 Reputation points Microsoft Employee2024-05-31T19:20:49.0666667+00:00 @Trevor Richards Can you please let us know if you have a response to Givary-MSFT's above comment? We look forward to hearing back from you.
-
Trevor Richards 5 Reputation points
2024-06-03T06:48:13.18+00:00 Hi, updating the URL to include both the internal and external address within Entra ID/Azure AD does not change anything.
-
Givary-MSFT 33,081 Reputation points Microsoft Employee
2024-06-03T06:56:12.4966667+00:00 @Trevor Richards Please send us an email on azcommunity [at] microsoft [dot] com or post message via private message referencing this issue with a subject line "ATTN:Givary" along with your Azure subscription id and we will help you with one time support option for this issue where you can work with our support team directly on this as this issue needs deeper troubleshooting.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 79%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHW%3C/text%3E%3C/svg%3E)
Hanwei Wang 0 Reputation points2024-07-18T10:00:58.06+00:00 Hi @Trevor Richards , I am very curious about if your issue has been solved, and if possible how it got solved. We are facing exact same issue as you, the only diffence is we are using SAML for SSO configuration not Entra ID.
Sign in to comment
Sign in to answer