AAD Reply Url Issue with https

Question

We have an on-prem asp.net core app that leverage AAD for authentication, the app is setup to run in both:

http://domainserver/app & https://domainserver/app

In Azure AD the reply url for the application is setup as http://domainserver/app/signin-oidc & https://domainserver/app/signin-oidc

When using http url, the sign-in process works fine, however in https mode, we get the following error:

AADSTS50011: The reply address ‘https://domainserver/app/signin-oidc’ does not match the reply addresses configured for the application: appguid . More details: not specified

The reply https url is setup in AAD for the App exactly as it appears in the error message, so I’m not sure why it says it’s not matching. One reason I can think of is that the SSL certificate used for https is a local domain signed certificate, and somehow it’s causing the error. But I’m not sure if that’s the case since AAD is just responsible to redirect back to the specified url, should not really care or know about the validity of the SSL.

Here is the image showing the setting url, the redirect url and the error message url matches exactly. You just have to trust me the part that's blocked out are also the same. :)

Anyone got any ideas why this happens?

Open you application manifest, and copy the contents of the reply url properties in your question. Thanks. — Shawn Tabrizi
@ShawnTabrizi, not sure what you mean by application manifest, but the redirect_url that's shown in the url parameter is the exact url that's in AAD reply url settings. — Y.Z.

Wayne Yang Wayne Yang · Accepted Answer · 2017-11-16T05:16:08

Protocol matters. Azure AD will treat http://website.com and https://website.com as different reply URLs. However Azure can only let your put in multiple Reply URLs in a same domain. There is a case solution may be helpful to you:

Issue: Using the Azure AD authentication option to sign into the Skype for Business (SfB) Web SDK and you are seeing an AAD error page . The error page should have this message:

"AADSTS50011: The reply address 'https://...' does not match the reply addresses configured for the application <...>"

Solution:

You need to configure the main domain name where you're hosting your app as a reply URL in the AAD registration for your app and pass it as the redirect_uri when redirecting to AAD to allow the user to sign in.

You should be using code like this to redirect the user to enter her credentials to sign into Azure AD:

var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href;
window.location.href = href;

Note In the code above that we are using window.location.href as the value of the redirect_uri query parameter in forming the URL of the AAD endpoint where the user will sign in. This parameter tells AAD to redirect the client browser and the access token obtained by signing into AAD back to the page we're currently on - the main app page. However, AAD will only redirect the access token to URLs that are specified as Reply URLs in the app registration in AAD.

Follow these steps to check your configured Reply URLs and add additional ones:

Sign into portal.azure.com with an account that's an administrator on your tenant.
Navigate to Azure Active Directory in the left side bar > App registrations > Your app > All settings > Reply URLS.
Type the domain name where you're hosting your app and click Save.

This solution is from this document.

Update

According to your screenshot, your Reply URI is different:

https://domainserver/app/signin-oidc

is not in your Reply URL list,

in your Reply URL list is

https://domainserver/app/signin-odic

Go to change them as same URL .

AAD Reply Url Issue with https

1 Answers