Exception: Correlation failed. AAD + Azure Front Door

2
votes

I have a web application(ASP.NET Core MVC) which communicates with my REST API. Both of them are configured to use Azure Active Directory. Now I'm trying to configure Azure Front Door for the app, but I get the following error: enter image description here

or this one: enter image description here

I designed the front door for http-s redirection, configured the backend pool for website to use its own host name.

enter image description here

I've also configured the forwarded headers:

services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders =
                ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;

            options.KnownNetworks.Clear();
            options.KnownProxies.Clear();

            // Put your front door FQDN here and any other hosts that will send headers you want respected
            options.AllowedHosts = new List<string>() { "<my front door here>" };
        });

...

        app.UseForwardedHeaders();

However still getting the error. Any ideas?

Thanks.

1
asp.net-coreazure-active-directoryazure-front-door

1 Answers

0
votes

Please check the possible workarounds for few causes:

  1. Firstly please check the reply urls are configured correctly which must be same in azure portal and code (with https protocol )

  2. Check if the callback path is set to identity provider something like /signin-oidc for redirect url .(And make sure you have unique callback if multiple urls are used as in second reference)

  3. use Microsoft.AspNetCore.HttpOverrides; reference in startup.cs class.

Also check and Add > app.UseHttpsRedirection(); above app.authentication(); in startup configure method.

  1. If ConfigureServices method, from Startup.cs has

.services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));

The cause maybe cookies not being set as secure. Try to store cookies as secure before the services.AddAuthentication .

services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;//add if consent needed
        options.MinimumSameSitePolicy = SameSiteMode.None; // else try  SameSiteMode.Lax;

         options.Secure = CookieSecurePolicy.Always;

    });

And call cookie policy from app.UseCookiePolicy() right before the call to app.UseRouting() in the Configure() method in Startup.cs.

Also try to set the enable cookie settings in browser.

  1. Also see if you can use XForward.Host when Using Azure Front Door with .NET Core | phillipsj.net.

  2. While adding backend config in azure front door set up try to leave Backend host header field blank as it is automatically generated same as the host name and may cause issue for multiple domains.

References:

  1. solving-azure-ad-sign-in-failure-with-azure-front-door
  2. Asp.net Core 2.0 Identity with multiple OIDC providers