WebAPI Secured with Azure AD Authentication not working on IIS but working fine on IIS Express using Visual Studio

2
votes

I am working on a AnguarJS SPA application calling with an Asp.Net WebAPI.

I have registered both the Client as well as the Backend Application on the Azure AD.

My Client/Web Application is registered with the following details:

  1. Sign On URL: http://localhost:93
  2. APP ID URL : http://xyz.onmicrosoft.com/XYZLocalClient
  3. ClientID: 34A721C3-20E4-41D5-9BC1-486A99BF7C26
  4. Reply URL: http://localhost:93

I have given the permissions to other applications (delegated permission) for the client app to access the WebAPI (LocalWebAPI).

My WebAPI has the following setup:

  1. It is using the OWIN Middleware with the startup.cs file as:

    public class Startup { public void Configuration(IAppBuilder app) { ConfigureAuth(app); }

    private void ConfigureAuth(IAppBuilder app)
{
    var azureADBearerAuthOptions = new 
        WindowsAzureActiveDirectoryBearerAuthenticationOptions
    {
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
    };

    azureADBearerAuthOptions.TokenValidationParameters =
        new System.IdentityModel.Tokens.TokenValidationParameters()
        {
            ValidAudience = 
            ConfigurationManager.AppSettings["ida:Audience"]
        };

    app.UseWindowsAzureActiveDirectoryBearerAuthentication (azureADBearerAuthOptions); }

  2. It is registered on the Azure AD with the following parameters:

SIGN-ON URL: http://localhost:93/Api/V1/ APP ID URI: https://xyz.onmicrosoft.com/LocalCognia Reply URLs: http://localhost:93/Api/V1/*

My Web.Config file is: 

<add key="owin:AutomaticAppStartup" value="true"/>
<add key="ida:Tenant" value="xyz.onmicrosoft.com" />
<add key="ida:Audience" value="34A721C3-20E4-41D5-9BC1-486A99BF7C26" />

I have also decorated my controller with the [Authorize] Attribute.

Everything seems to be working fine. I am able to authenticate the user and able to access the resources from the WebAPI when I run my application from the Visual Studio 2015 environment (IIS Express).

But as soon as I deploy my application on the IIS Server, using the same parameters, (expect that the application is now on localhost:8087 and with the reply URL for the client app as: localhost:8087), I am getting error as 401: UnAuthroized user on calling the WebAPI.

I am getting the token in the Headers for the WebAPI call, but still getting the error. Not sure of this behavior. Can someone please help on this?

1
azureiisasp.net-web-apiazure-active-directoryiis-express
It seems like you have the application correctly configured. The best guess is that there is some other authentication configuration(for example Windows Integrated Authentication) on the IIS server which is kicking in before the OWIN middleware.Navya Canumalla
@NavyaCanumalla: Thanks for the reply. I did check on the IIS Server about the Windows Authentication, but that is also disabled.user3041212
@user3041212 Did you solve this issue? I seem to have the same problem.bmla

1 Answers

0
votes

Please use below code in your ConfigureAuth :

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
    TokenValidationParameters = new TokenValidationParameters
    {
        ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
    },
});