Home

Azure App proxy authentication issue

%3CLINGO-SUB%20id%3D%22lingo-sub-169238%22%20slang%3D%22en-US%22%3EAzure%20App%20proxy%20authentication%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169238%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2011px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3EHi%2C%3C%2FP%3E%0A%3CP%20style%3D%22color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2011px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2011px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3EWe%20have%20a%20on%20premise%20app%20published%20on%20Azure%20and%20when%20I%20try%20to%20access%20the%20to%20the%20app%20API's%20I%20always%20get%20below%20error.%20User%20already%20have%20the%20access%20to%20App%20proxy%20and%20the%20app%20behind%20the%20proxy.%3C%2FP%3E%0A%3CP%20style%3D%22color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2011px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2011px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3EWhat%20access%20I%20need%20add%20in%20addition%20to%20proxy%20%26amp%3B%20App%20access.%20I%20am%20generating%20the%20token%20using%20client%20credentials%20flow.%3C%2FP%3E%0A%3CP%20style%3D%22color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2011px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2011px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3EAzure%20AD%20Application%20Proxy%3CBR%20%2F%3EStatus%20code%3A%20Unauthorized%3CBR%20%2F%3EUrl%3A%20https%3A%2Fproxyurl%2Fapi%252fV3%252fServiceCatalog%252fGetServiceCatalog%253fuserId%253d092f884b-cbb7-bd4e-2adf-7df54af892bb%2526isSc...%3CBR%20%2F%3ETransactionID%3A%20531bf554-43fd-4367-b20e-09b4182a0031%3CBR%20%2F%3ETimestamp%3A%203%2F6%2F2018%209%3A54%3A11%20AM%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2011px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20display%3A%20inline%20!important%3B%20float%3A%20none%3B%22%3EAuthorization%20failed.%20Make%20sure%20to%20assign%20the%20user%20with%20access%20to%20this%20application.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-169238%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eproxy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199460%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20App%20proxy%20authentication%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199460%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20the%20same%20problem%20with%20proxy%20app%20registrations%2C%20in%20our%20own%20domain%20and%20in%20a%20customer%20domain.%20The%20401%20error%20already%20occurs%20when%20acquiring%20a%20token%2C%20before%20trying%20to%20read%20or%20write%20any%20data.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20found%20a%20solution%2C%20hinted%20by%20a%20remark%20in%20this%20StackOverflow%20answer%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F34318059%2F401-error-when-authenticating-to-an-azure-api-app-using-aad%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F34318059%2F401-error-when-authenticating-to-an-azure-api-app-using-aad%3C%2FA%3E%3CBR%20%2F%3E%3CEM%3E%3CSPAN%3EYour%20problem%20have%20something%20to%20do%20with%20the%20valid%20audiences.%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20problem%20is%20that%20the%20%22audience%22%20of%20a%20proxy%20app%20is%20not%20in%20the%20active%20directory%20domain%2C%20but%20in%20msappproxy.net.%20Hence%2C%20it%20fails%20the%20audience%20check%20and%20a%20401%20eror%20is%20raised%20when%20attempting%20to%20get%20an%20access%20token%20relating%20to%20the%20AD%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20solution%3A%20create%20a%20second%20app%20registration%20for%20API%20access.%20In%20my%20case%2C%20the%20API%20part%20of%20the%20software%20just%20needed%20to%20read%20directory%20groups%20and%20member%20lists%2C%20that%20is%20possible%20independent%20from%20whoever%20is%20logged%20in%20through%20the%20web%20user%20interface%20if%20Microsoft%20graph%20is%20used.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20creating%20the%20second%20app%2C%20I%20use%20any%20name%20and%20a%20random%20Sign-on%20URL%20in%20my%20AD%20domain%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20311px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F35186i0AB9ED1CFD7C7B49%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2231-5-2018%2007-38-56.png%22%20title%3D%2231-5-2018%2007-38-56.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20second%20inclarity%20in%20the%20Azure%20Portal%20user%20interface%20is%20in%20granting%20the%20API%20application%20access.%3CBR%20%2F%3EWhen%20you%20go%20to%20Settings%20%26gt%3B%20Required%20permissions%2C%20you%20add%20some%20categories%20and%20click%20Save.%20However%2C%20the%20permissions%20are%20not%20effective%20until%20you%20%3CEM%3Ealso%3C%2FEM%3E%20clicked%20%22Grant%20access%22%20on%20top%20of%20the%20main%20%22Required%20permissions%22%20panel.%20As%20it%20is%20counter-intuitive%20that%20you%20have%20to%20click%20in%20two%20different%20places%20to%20save%20one%20setting%2C%20that%20is%20often%20overlooked%20by%20admins%20configuring%20our%20web%20API.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20578px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F35187i01610A8AEAFB02F4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2231-5-2018%2007-48-31.png%22%20title%3D%2231-5-2018%2007-48-31.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169320%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20App%20proxy%20authentication%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169320%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20logon%20to%20the%20server%20where%20the%20Azure%20AD%20Application%20Proxy%20is%20installed%2C%20you%20can%20examine%26nbsp%3B%20the%20Eventlogs%20with%20Eventviewer%3A%20%3CEM%3EStart%20%3D%26gt%3B%20CMD%20%3D%26gt%3B%20eventvwr%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3EUnder%20%3CEM%3EApplication%20and%20Services%20Logs%20%3D%26gt%3B%20Microsoft%20%3D%26gt%3B%20AadApplicationProxy%20%3D%26gt%3B%20Connector%20%3D%26gt%3B%20Admin%3C%2FEM%3E%20you%20can%20see%20the%20events%20regarding%20your%20application%20proxy.%20Search%20for%20errors%20or%20warnings%20regarding%20your%20application..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20there%20aren't%20any%20logs%20generated%2C%20that%20means%20that%20there's%20something%20wrong%20with%20the%20configuration%20of%20the%20specific%20app%20in%20Azure%20AD%20and%26nbsp%3B%20that%20the%20traffic%20never%20lands%20on%20the%20Azure%20AD%20Application%20Proxy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169307%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20App%20proxy%20authentication%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169307%22%20slang%3D%22en-US%22%3EYes%20the%20users%20is%20available%20in%20the%20access%20list.%20I%20have%20not%20checked%20the%20AD%20logs%2C%20please%20let%20me%20know%20how%20to%20check%20them%20as%20I%20am%20not%20a%20AD%20expert.%20I%20can%20share%20them%20with%20you%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169263%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20App%20proxy%20authentication%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169263%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Shamprasad%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20error%20message%20suggests%20that%20you%20didn't%20authorize%20the%20user%20to%20the%20specific%20application.%20If%20you%20go%20to%20%3CEM%3EAzure%20Active%20Directory%20%3D%26gt%3B%20Enterprise%20Applications%20%3D%26gt%3B%20%22Application%20Name%22%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3EIs%20the%20user%20visible%20under%20%3CEM%3EUsers%20and%20Groups%3C%2FEM%3E%20there%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20that's%20not%20the%20problem%2C%20do%20you%20see%20any%20additional%20error%20messages%20in%20the%20eventlog%20on%20the%20Application%20Proxy%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ERuud%20Gijsbers%3C%2FP%3E%3C%2FLINGO-BODY%3E
Shamprasad RH
New Contributor

Hi,

 

We have a on premise app published on Azure and when I try to access the to the app API's I always get below error. User already have the access to App proxy and the app behind the proxy.

 

What access I need add in addition to proxy & App access. I am generating the token using client credentials flow.

 

Azure AD Application Proxy
Status code: Unauthorized
Url: https:/proxyurl/api%2fV3%2fServiceCatalog%2fGetServiceCatalog%3fuserId%3d092f884b-cbb7-bd4e-2adf-7df54af892bb%26isSc...
TransactionID: 531bf554-43fd-4367-b20e-09b4182a0031
Timestamp: 3/6/2018 9:54:11 AM

Authorization failed. Make sure to assign the user with access to this application.

4 Replies

Hi Shamprasad,

 

The error message suggests that you didn't authorize the user to the specific application. If you go to Azure Active Directory => Enterprise Applications => "Application Name".

Is the user visible under Users and Groups there?

 

If that's not the problem, do you see any additional error messages in the eventlog on the Application Proxy?

 

Best regards,

Ruud Gijsbers

Yes the users is available in the access list. I have not checked the AD logs, please let me know how to check them as I am not a AD expert. I can share them with you

If you logon to the server where the Azure AD Application Proxy is installed, you can examine  the Eventlogs with Eventviewer: Start => CMD => eventvwr.

Under Application and Services Logs => Microsoft => AadApplicationProxy => Connector => Admin you can see the events regarding your application proxy. Search for errors or warnings regarding your application..

 

If there aren't any logs generated, that means that there's something wrong with the configuration of the specific app in Azure AD and  that the traffic never lands on the Azure AD Application Proxy.

I had the same problem with proxy app registrations, in our own domain and in a customer domain. The 401 error already occurs when acquiring a token, before trying to read or write any data.

I found a solution, hinted by a remark in this StackOverflow answer:
https://stackoverflow.com/questions/34318059/401-error-when-authenticating-to-an-azure-api-app-using...
Your problem have something to do with the valid audiences.


The problem is that the "audience" of a proxy app is not in the active directory domain, but in msappproxy.net. Hence, it fails the audience check and a 401 eror is raised when attempting to get an access token relating to the AD domain.

 

My solution: create a second app registration for API access. In my case, the API part of the software just needed to read directory groups and member lists, that is possible independent from whoever is logged in through the web user interface if Microsoft graph is used.

 

When creating the second app, I use any name and a random Sign-on URL in my AD domain:31-5-2018 07-38-56.png

 

 

 

 

A second inclarity in the Azure Portal user interface is in granting the API application access.
When you go to Settings > Required permissions, you add some categories and click Save. However, the permissions are not effective until you also clicked "Grant access" on top of the main "Required permissions" panel. As it is counter-intuitive that you have to click in two different places to save one setting, that is often overlooked by admins configuring our web API.

31-5-2018 07-48-31.png

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies