HTTP-500 error when connecting from FrontDoor with AAD authentication on Blazor Server

takeolexus 80 Reputation points
2023-06-06T10:13:37.4433333+00:00

I created a Blazor Server app that uses the AAD authentication, referring to the following URL.

https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-blazor-server

Then I deployed to AppService and this worked fine.

After that, I created Front Door service in front of AppService.

I connecetd from Front Door, then HTTP-500 error occurred.

I checked log stream of App Service, the following log was output.

2023-05-31T04:16:58.039978408Z: [INFO] warn: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[15] 2023-05-31T04:16:58.040026409Z: [INFO] '.AspNetCore.Correlation.rTLpTmb67bPnCQUrWSyGUNDR2yK51N9FZxUzCbsVnFc' cookie not found. 2023-05-31T04:16:58.048590921Z: [INFO] fail: Microsoft.AspNetCore.Server.Kestrel[13] 2023-05-31T04:16:58.048621622Z: [INFO] Connection id "0HMR1HGGM7205", Request id

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
565 questions
Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,349 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,089 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 33,056 Reputation points Microsoft Employee
    2023-06-06T21:08:53.87+00:00

    Hi @Anonymous ,

    Thanks for your post! If you check the browser traces in the developer tools, you can see if the Correlation cookie might be getting stripped by the browser and find out why the cookie got lost. For example, this can happen if the cookie's SameSite attribute is set to "None" but the "Secure" attribute is not set as described here.

    As also mentioned in the SO post, some users have been able to resolve this by adding the following in the Startup Configure method:

    app.UseCookiePolicy(new CookiePolicyOptions
    
    {
    
        Secure = CookieSecurePolicy.Always
    
    });
    
    

    The issue may also be related to the samesitemode of the cookies. If this is the case and the samesitemode is strict, you can try setting it to this:

     app.UseCookiePolicy(new CookiePolicyOptions
            {
                MinimumSameSitePolicy = SameSiteMode.None
            });
    

    If the app is using App.UseCookiePolicy(); in the client startup , you may also try removing that.

    Additionally, this may happen if the app is not being accessed from the home page, and if this is the case it may be worth opening a support ticket to investigate your environment setup with Azure Front Door.

    Let me know if this helps and if you still run into this issue. If you share the developer tool logs and network traces, I should be able to better help diagnose.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar issues.

    1 person found this answer helpful.

  2. Marilee Turscak-MSFT 33,056 Reputation points Microsoft Employee
    2023-06-07T22:03:00.75+00:00

    Hi @Anonymous ,

    Thanks for sharing your files. The settings look correct to me. Sometimes there are outages that could cause this issue, but there do not appear to be any known outages for Azure Front Door at the moment.

    If you only receive this error when you add the Azure Front Door layer, it sounds like the application hosted by the Azure App Service may not be receiving the request that is sent by Front Door.

    There are some workarounds which may help such as setting the Client Certificates mode to "Ignore" in the App Service settings section in the Azure Portal (which may or may not be suitable for your scenario), or increasing the Origin Response Timeout.

    If you send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, I would like to get a support case opened to resolve your issue. In the meantime, I will continue to investigate on my end and see if there are additional issues that could cause the 500 error.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.


  3. takeolexus 80 Reputation points
    2023-06-20T06:08:54.9966667+00:00

    I sent a support ticket and got an answer on how to deal with it.

    I needed the X-Forwarded-Host header implemented as a redirect URL.

    builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
        {
            options.Events = new OpenIdConnectEvents
            {
                OnRedirectToIdentityProvider = (context) =>
                {
                    context.ProtocolMessage.RedirectUri = "https://xxxxx.azurefd.net/signin-oidc";
                    return Task.FromResult(0);
                }
            };
        });
    
    app.UseForwardedHeaders();
    
    

    This cleared the HTTP-500 error, but there are other problem, I'm still investigating.

    0 comments No comments