Blog Post

Apps on Azure Blog
4 MIN READ

Public Preview: App Service Authentication Logs on Diagnostic Settings

YutangLin's avatar
YutangLin
Icon for Microsoft rankMicrosoft
May 30, 2024

A new log “AppServiceAuthenticationLogs” is now available in Public Preview for App Service resources on Windows. This would include Web Apps, Functions, and Logic Apps. If you would like to have more visibility into your App Service Authentication and would like to troubleshoot or self-diagnose issues, you can enable this log category to help with these scenarios. 

 

App Service Linux resources and Functions Consumption Plan (Linux and Windows) currently does not support this log. You may still see this log as an option in the Diagnostic Settings. However, if your resource is one of the unsupported scenarios, you will not see any logs despite enabling “AppServiceAuthenticationLogs”.

 

Like any Diagnostic Settings logs, this log could be enabled via Diagnostic Settings and will show up as “App Service Authentication Logs”. However, one important difference from the previous logs is that “AppServiceAuthenticationLogs” would be charged for the cost to export logs to various endpoints, in addition to the cost of using the endpoints (ie. Storage, Log Analytics). You can find more information on platform logs export pricing and a list of exportable logs on App Service 

 

The next section of the article will go more in depth into the different logs that will be emitted and will provide you with a better understanding about each log. 

 

Supported Logs

AppServiceAuthenticationLogs currently will only generate “Warning” and “Error” logs. No logs will be generated for successful App Service Authentication requests. 

 

Log Messages 

This section contains additional information for common Warning and Error logs that may be helpful for diagnosing potential issues. Please note that any suggested actions are only recommendations and that individual scenarios may differ. 

 

Warning Logs

Message 

Comment/Recommendation 

JWT validation failed: 

Audience validation failure   

May occur if the audience parameter in the incoming token is not specified as an allowed audience in your configuration, resulting in a 401 response code. The audience parameter specifies the resource that the token grants access to and typically should be the Client Id of your web app. 

IDX12741: JWT: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' must have three segments (JWS) or five segments (JWE)..   

Indicates an incorrectly formatted JWT token that may result in a 401 response code. 

 

Principal (isUser: False) failed single tenancy check for single tenant AAD app. 

Indicates that the incoming token did not come from the same tenant as the AAD application and there may be issues with single-tenancy. 

An authenticated principal (userhash: ***) for an API call failed authorization.  

-------------------------------

An authenticated principal (userhash: ***) for an API call has a cached failed authorization check. 

Expected to occur if the incoming token should not have access to the resource and will result in a 403 response code. If this is unexpected, then the authorization policies in your configuration may be incorrectly defined (check the allowed principals, allowed applications, and allowed tenants properties). 

Login token for '***' was rejected because contained an invalid 'nonce' claim. 

-------------------------------

Login token for '***' was rejected because it did not contain a 'nonce' claim. 

-------------------------------

Failed to read the 'Nonce' cookie for site '***' 

May occur if the login session takes too long to complete. The nonce claim is associated with the login session and will expire after a set time. If this occurs, attempt login again.  

 

Access was denied for '***' because this principal does not match any of the allowed applications. 

-------------------------------

Access was denied for '***' because this principal does not match any of the principal policies. 

-------------------------------

Access was denied for '***' because this principal does not match any of the allowed tenants. 

Expected to occur if the incoming token should not have access to the resource and will result in a 403 response code. If this is unexpected, then check that the relevant property (allowed principals, allowed applications, or allowed tenants) match the principal claims in the token. 

 

Error Logs

Message 

Comment/Recommendation 

HTTP proxy request encountered exception. 

Type: System.Net.Http.HttpRequestException 

Message: Connection refused 

-------------------------------

HTTP proxy request encountered exception. 

Type: System.Net.Http.HttpRequestException 

Message: Connection timed out 

Indicates that a request forwarding attempt failed and may manifest as a 5xx response code. A starting point is to investigate application logs to see why the request failed. For example, running extra containers or added load can result in latency due to resource contention.   

An error occurred while monitoring the file system: System.IO.InternalBufferOverflowException: Too many changes at once in directory:C:\home\data\.auth\tokens. 

May occur if your application has too much load; for example, if there are too many writes at a given time. Blob storage can be used instead of file storage to mitigate, trading more reliable storage for more writes. Can also disable token store if not needed. 

 

Failed to download OpenID configuration from '***'   

Occurs when an HTTP request to the Open ID configuration endpoint fails and may manifest with a 500 response code. This is sometimes transient, as a failed request will trigger another attempt and retries may succeed. If this error is consistently occurring, check that the Open ID endpoint specified in your configuration is correct and accessible from the context of your web app. 

Failed to read the 'AppServiceAuthSession' cookie for site '***': The signature of the encrypted data is invalid.  

-------------------------------

Failed to read the 'AppServiceAuthSession' cookie for site '***': Invalid length for a Base-64 char array or string.  

-------------------------------

Failed to read the 'AppServiceAuthSession' cookie for site '***': The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.   

Indicates a problem with validating or decrypting the session cookie. This may occur if there is an issue with encryption key rotation or the session cookie is malformed and may require logging in again.  

 

 

Updated May 30, 2024
Version 1.0
No CommentsBe the first to comment