Let get started!

This article assumes you are using your own code to perform the authentication to Azure Active Directory.

IMPORTANT: So if your using Azure App Services or Azure Function Apps Authentication/Authorization feature, this article is not for you.

You are developing a Asp.Net OWIN or Asp.Net Core Authentication web application and integrating it with Azure Active Directory. You run into some issues during the sign-in process with no error message or any hint on what the problem might be. Some of the behaviors that you might see are…

  • The dreaded infinite loop between your web app and Azure Active Directory.
  • After signing into Azure Active Directory, you land back on to your Web Application like it never signed in.
  • You land on your error page with no useful error message.

The purpose of this article is not to show you how to resolve the failed sign-in attempt. Rather, I want to show you how to troubleshoot and maybe expose the hidden error message. Once you have unraveled the hidden error message, hopefully that will lead you down a path to resolve the failed sign-in attempt.


This is where the OnAuthenticationFailed notification comes in handy…

In Asp.Net, you want to make sure your code looks something like this for the for the AuthenticationFailed event notification event notification (in startup.auth.cs)…


In Asp.Net Core, you want to make sure your code looks something like this for the for the OnAuthenticationFailed event notification event notification (in startup.cs)…


You can of course tweak this so that you can either send the error message to your logs or send it to a custom error page.

At minimum, we should see the error message in the address bar…

or in the case of the infinite loop, see it in the Fiddler capture…


For more information about using Fiddler, check out our Blog post here…

For a list of Azure Active Directory errors and and some tips on how to resolve, check out the following article…
https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes

6 Thoughts to “Troubleshooting Asp.Net OWIN and Asp.Net Core Authentication sign-in failures with Azure Active Directory”

  1. raja ram


    // On Authentication Failed

    //Slight correction needed - shown below:

    options.Events = new JwtBearerEvents()

    {

    OnAuthenticationFailed = async(context) =>

    {

    String ErrorMessage = context.Exception.Message;

    String InnerErrorMessage = String.Empty;

    String RedirectError = String.Format("?error_message={0}", ErrorMessage);

    if (context.Exception.InnerException != null)

    {

    InnerErrorMessage = context.Exception.InnerException.Message;

    RedirectError = String.Format("{0}&inner_error={1}", RedirectError, InnerErrorMessage);

    }

    // or you can just throw it

    // throw new Exception(RedirectError);

    RedirectError = RedirectError.Replace("\r\n", " ");

    await context.Response.WriteAsync(RedirectError);

    context.Response.Redirect(RedirectError);

    },

    1. Bac Hoang [MSFT]

      Thanks for the feedback. Your method of using JwtBearerEvents is certainly valid for web API scenario. The scenario in this post is for web apps using OpenID Connect (OIDC).

  2. vishwesh

    I am facing issues with neither MessageReceived nor TokenValidated events firing upon succesfull AD authentication and redirection to redirect_url. When I create a custom method say OnAuthenticationCompleted in home controller and provide that as the redirect_url all constituents like id_token etc are available in HttpRequest but OwinContext is not getting populated due to aforementioned event notifications not being fired.

    1. Bac Hoang [MSFT]

      Without looking at your code and the https traffic, it’s hard to provide a suggestion. Can you open a support case to investigate this further?

      1. vishwesh

        Thanks Bac I was able to find and fix the issue which was being introduced by URL Rewriter module. I though have a separate query, specifically for case hen I need single endpoint for all subdomains i.e. *.xyz.com so when I start authentication from https://abc1.xyz.com or https://abc2.xyz.com, I would be redirected to https://SSO.xyz.com (configured in Azure AD) post authentication. I need to navigate back programmatically to https://abc1.xyz.com/welcome or https://abc2.xyz.com/welcome depending on where I started the flow. My larger question is how do I read state parameter and make it available to MVC for further navigation.

        1. Bac Hoang [MSFT]

          Sure take a look at https://blogs.aaddevsup.xyz/2019/11/state-parameter-in-mvc-application/ for how to inject your own state into an MVC OIDC application to see if it helps.

Leave a Comment