My client has an existing MVC application. Another developer on their team created the sign in. When deploying it to the test server, it was discovered that the sign in only works once.
I can start the application, and test with 3 different Microsoft Logins, so the code obviously works.
The second attempt will get the prompt for email, then password, then the 2 factor authentication phone call works, but then the app redirects to the login screen.
I have logging in the OnAuthenticationFailed method, and this never gets called.
Here is part of our startup.cs:
public void Configuration(IAppBuilder app)
// Configure the db context, user manager and role manager to use a single instance per request
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, AppUser>(
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
//Added to resolve the Issue# 2352
// Sets the ClientId, authority, RedirectUri as obtained from web.config
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
// PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
// ResponseType is set to request the id_token - which contains basic information about the signed-in user
ResponseType = OpenIdConnectResponseType.IdToken,
// ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
// To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
// To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
TokenValidationParameters = new TokenValidationParameters()
ValidateIssuer = false
// OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
Notifications = new OpenIdConnectAuthenticationNotifications
AuthenticationFailed = OnAuthenticationFailed
I am not getting any errors, so not really sure how to debug it.