SPN Failed SignIn From Unknown IPv6

Question

An SPN has failed SignIns from an IPv6 address. The environment doesn't have IPv6 enabled anywhere, except typical Windows VM network adapter as ::::1. Users access an Azure Web App from a VM. Their creds work, but create the failed spn ipv6 login at the same time. The App Registration has a redirect uri. The destination server is unavailable. Its using OpenID Connect.

It seems like Azure or Entra's managed backend plane is using ULA with the prefix is FDE4.

No indications of what's assigning ULA.
https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/ad-dmn-services/azure-ad-ipv6-support

Has anyone seen SPNs failing SignIn from a private IPv6?

Answer 1

Hi please follow this thread about conditional access https://learn.microsoft.com/en-us/answers/questions/1184060/what-does-this-ipv6-mean-i-use-a-mac-pro-do-i-need

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Regards,

Luis

Answer 2

It might be related to mobile device MFA.
User > VPN > Citrix > Azure VM > App Service | Entra | MFA

The user opens a browser on their azure vm. They go to the web app address and get redirected to Azure SignIn page. They put in their user/pass/mfa. User is successful, but redirect uri fails. So, the spn is taking some component there as IPv6. Azure/Entra backend.

https://blogs.infoblox.com/ipv6-coe/3-ways-to-ruin-your-future-network-with-ipv6-unique-local/

https://learn.microsoft.com/en-us/microsoft-365/enterprise/ipv6-support?view=o365-worldwide

Perhaps the IPv6 was NAT64 and source IPv4 can be reversed.

https://www.reddit.com/r/ipv6/comments/yr9021/nat64_vs_proxy_to_translate_from_ipv6_to_ipv4/?rdt=54817