IsAuthenticated is false when moved to the IIS server with Azure AD .Net Core 2.1

[sandillio]

Is this a Bug or Feature request?:

Steps to reproduce (preferably a link to a GitHub repo with a repro project):

Description of the problem:

Version of Microsoft.AspNetCore.Mvc or Microsoft.AspNetCore.App or Microsoft.AspNetCore.All:

[sandillio]

Works perfectly on my local machine but when moved to server it returns false.

My Configure Services method looks like this

    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<CookiePolicyOptions>(options =>
        {
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
            
        });

        services.AddAuthentication(sharedOptions =>
        {
            sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
        })
            .AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
            {
                options.MetadataAddress = "MetaDataAddress";
                options.Wtrealm = "WtRealm";
                options.Wreply = "https://mydomain/AzureADDemo/Home/Status";
                options.SaveTokens = true;
                

            }).AddCookie(
                options =>
                {

                    options.Cookie.Name = ".AspNet.SharedCookie";
                    options.LoginPath = "/AzureADDemo/Home/Signin";
                    options.Cookie.Path = "/AzureADDemo";
                    options.Cookie.Expiration = TimeSpan.FromMinutes(20); 
                    options.Cookie.SecurePolicy = CookieSecurePolicy.None;
                    options.Cookie.SameSite = SameSiteMode.None;
                });

        services.AddMvc();

       
    }

And my Configure Method looks like this

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }
        app.UseCors(policy => policy.SetIsOriginAllowed(origin => origin == 
                     "https://login.microsoftonline.com"));
        app.UseHttpsRedirection();
        app.UseStaticFiles();

        

        app.UseCookiePolicy();
        app.UseAuthentication();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }

[mkArtakMSFT]

Thanks for contacting us, @sandillio.
@javiercn, can you please look into this? Thanks!

[javiercn]

@Tratcher I believe this is all yours

[Tratcher]

Can you share a Fiddler trace of the scenario?

[Tratcher]

Where are you calling IsAuthenticated?

[sandillio]

@Tratcher Here is the Fillder Trace

[sandillio]

@Tratcher This is how I am signing in
var redirectUrl = Url.Action(nameof(HomeController.Status), "Home");
return Challenge(new AuthenticationProperties { RedirectUri = redirectUrl }, WsFederationDefaults.AuthenticationScheme);
And then in Status I am checking for IsAuthenticated which coming as False

[Tratcher]

Please upload the fiddler trace file rather than a screenshot. You can send it to the e-mail in my profile if you don't want it to be public.

I expect your problem is with the Wreply option, that shouldn't point to a page in your app, but to a url handled directly by the middleware.. Use CallbackPath instead of wreply.

@mkArtakMSFT feel free to transfer this to the Security repo.

[Tratcher]

Confirmed, your Wreply is wrong. Use CallbackPath instead as described in the doc above.

[sandillio]

@Tratcher So I have removed Wreply and added callback path but now I am getting the error saying the reply URL is not matching.

.AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
{
options.MetadataAddress = "MetaDataAddress";
options.Wtrealm = "WtRealm";
options.CallbackPath = "/Home/Status";
options.SaveTokens = true;
}

[Tratcher]

CallbackPath should not reference a page in your app, it should be a dedicated endpoint like the default value "/signin-wsfed". The auth middleware will handle requests to this path.

[sandillio]

@Tratcher So I have changed my CallBackPath = "/AzureADDemo", my Reply Urls in AzureAD as "https://mydomain/AzureADDemo" since this is the endpoint referring to Wreply and I still get reply url not matching error. Please correct me as I am going wrong and having difficulty understanding this ADD.

[Tratcher]

and I still get reply url not matching error.

What's the exact error and where do you get it? That doesn't sound like an ASP.NET error, is it coming from AAD?

[sandillio]

Yes that’s the error from ADD.

…

On Thu, Nov 8, 2018 at 5:22 PM Chris Ross ***@***.***> wrote: and I still get reply url not matching error. What's the exact error and where do you get it? That doesn't sound like an ASP.NET error, is it coming from AAD? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#8700 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AeZW0L-8DuQ1z9vT0qJe9abJUPt9YKbGks5utK6sgaJpZM4YVC_D> .

[Tratcher]

You're going to need to work that out with AAD. The only advice I can give is that you need to be very careful of the value, AAD has been known to require exact matches, even case sensitive.

[mkArtakMSFT]

Thanks @Tratcher.

Closing this as there is no more action to be taken here from our side.

[sandillio]

@Tratcher Sorry for posting late, but got it working. my solution is, I change the reply url in Azure to be as http://mydomain/yourappname/signin-wsfed and my configureServices method to be as below.

public void ConfigureServices(IServiceCollection services)
{

    services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;            
    });

    services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
    }) .AddWsFederation(WsFederationDefaults.AuthenticationScheme, options =>
        {
            options.MetadataAddress = "MetaDataAddress";
            options.Wtrealm = "WtRealm";
            options.SaveTokens = true;
            

        }).AddCookie(
            options =>
            {

                options.Cookie.Name = ".AspNet.SharedCookie";
                options.LoginPath = "/signin-wsfed";
                options.Cookie.Expiration = TimeSpan.FromMinutes(20); 
                options.Cookie.SecurePolicy = CookieSecurePolicy.None;
                options.Cookie.SameSite = SameSiteMode.None;
            });

    services.AddMvc();       
}

[Tratcher]

Remove options.LoginPath = "/signin-wsfed";, it doesn't belong there. LoginPath won't be used unless someone calls Challenge on Cookies rather than WsFed.