Single sign-on Authentication Using Azure Ad

Surender Bollam asked on February 13, 2024 10:57

Hi,

We are planning to use the Single sign-on Authentication using Azure Ad for this process we have reqistered our Application Url in the Azure portal they have give us the client Id and security realm these details we are using in the Kentico admin --> Settings --> Authentication --> Claim Based Authentication Here we have Enabled the WIF authentication and given the required details Identity provider URL Security realm Allowed audience URIs Certificate validator --> Selected Chain trust

After going through the Above process we are able to redirect to Microsoft login Page after successfully login we are getting this error

Can You Please Suggest with the Solution on how to solve this error.

image

Correct Answer

Ben Quinlan answered on February 13, 2024 13:37

Without having access to the specific error from the Event Log its hard to say what your exact issue. Often when we have run into this issue in the past it has been due to Azure AD issuing a new certificate and therefore a new thumbprint. The change in certificate thumbprint then invalidates the authentication request resulting in an error as you are seeing. To fix the issue, you then just need to update the certificate thumbprint in the Kentico admin > Settings > Authentication > Claim Based Authentication area.

With Azure AD this issue is likely to continue. It is possible to update the certificate thumbprint automatically via a scheduled task configured in Kentico but doing so does have security risks associated with it that would need to be considered. Alternatively, you could utilise a scheduled tasks that would check for an updated thumbprint and notify a specific user or team that could implement the update manually.

0 votesVote for this answer Unmark Correct answer

Recent Answers

Surender Bollam answered on February 13, 2024 18:10

Thanks Ben Quinlan For the Reply

This is the Error log we are getting in the event log

image

0 votesVote for this answer Mark as a Correct answer

Ben Quinlan answered on February 14, 2024 01:27

Can you confirm if the website is sitting behind a proxy server or some other service that may be doing SSL inspection or offloading? This could be causing an intermediary certificate to be returned instead of the original provided by Azure AD.

The other case is that the server doesn't have the proper trusted CA's configured but I would consider this much more unlikely.

If you attempt to connect to https://accounts.accesscontrol.windows.net/ from a browser on the server, is there an SSL error returned or are you successfully redirected to the Microsoft login page?

0 votesVote for this answer Mark as a Correct answer

Surender Bollam answered on February 20, 2024 14:28

Hi Ben Quinlan

The other case is that the server doesn't have the proper trusted CA's configured but I would consider this much more unlikely.

We are using the trusted CA's

If you attempt to connect to https://accounts.accesscontrol.windows.net/ from a browser on the server, is there an SSL error returned or are you successfully redirected to the Microsoft login page?

Yes it is redirecting to the Microsoft Login Page

Currently we are following this documentation for the Configuration https://docs.kentico.com/k11/managing-users/user-registration-and-authentication/claims-based-authentication

Configuration Details We are USing:

**Identity Provider Url** : https://login.microsoftonline.com/clientid/wsfed --> clientId we have generated through azure portal

**Security Realm** : https://example.portal.com/

**Allowed Audience Url** : https://example.portal.com/

Trusted Certificate Thumb Print :

**Certificate Validator :** Chain trust

**Error We are getting :**

The X.509 certificate CN=accounts.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Can you Please guide us some steps where we are getting wrong and please confirm that we are going in the correct process

Thanks For the response

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.