Meshcentral: Azure SSO error - Reply URL specified in the request does not match

Created on 26 May 2020 · 11Comments · Source: Ylianst/MeshCentral

Hi Ylian,

I'm trying Azure SSO integration and running into an error after signing in to Microsoft login page.

Error displayed:

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX'.

All the appropriate fields have been filled out in MeshCentral config file along with callback url which matches what I have entered into Azure.

I've followed each step in your user guide ver 0.2.9 exactly however still experience the same error.

Is there any specific logs I should be checking to determine what the issue could be or any thoughts as to what may be happening?

Happy to send further info to assist with troubleshooting.

Environment specs for troubleshooting error above:

MeshCentral ver: 0.5.44
OS running MeshCentral: Ubuntu 20.04 LTS (64bit)
NodeJS ver: 10.19.0
NPM ver: 6.14.5
MeshCentral running on built in DB.

Thanks

David.

Fixed - Confirm & Close question

Source

davscot

All 11 comments

Are you settings up Azure SSO for the MeshCentral default domain (empty string in the config.json) or for a different domain? If it's a different domain like "customer1" and there is no "dns" specified in the domain, the callback URL will be in all-lower case:

https://myserver.com/customer1/auth-azure-callback

Also if you try to access this callback URL using a browser, it should not show a 404 error. Let me know if that solves it, if not, I may add an extra server console command to look at the MeshCentral SSO state.

Ylianst on 26 May 2020

Hi Ylian,

I'm using the default domain, no other domains are defined in the config.

The following has been configured in Azure, the domain matches my primary and only MeshCentral domain.

https://mesh.mydomain.com/auth-azure-callback

When entering the call back URL in the browser I'm directed to Microsoft login page.

Thanks,

David.

davscot on 26 May 2020

So, what could be going on is that I set the callback to:

/auth-azure-callback

but it should be

https://mesh.mydomain.com/auth-azure-callback

I will add then option to specify the callback URL that is passed in, that we can test this. Will be in the next version.

Ylianst on 27 May 2020

Ahh right that would make sense then.

There was a section in the config which was commented out under Azure for the call back URL. I uncommented this thinking It was going to specify the call back URL to override anything else presented to Azure. However looks like this may not be correct as I continued to experience the same issue.

Look forward to your next update.

Thanks

David.

davscot on 27 May 2020

Just published MeshCentral v0.5.45. You can now do this:

        "azure": {
          "callbackurl": "https://server/auth-azure-callback", <-------------
          "newAccounts": true,
          "clientid": "00000000-0000-0000-0000-000000000000",
          "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
          "tenantid": "00000000-0000-0000-0000-000000000000"
        }

This will not change that URL MeshCentral will expect, it still be "/auth-azure-callback". But it will change what is sent out to Azure. So put the full use in that parameter and let me know if it works.

Also, if you run node node_modules/meshcentral --debug web you will see added debug information about that SSO setup.

Ylianst on 27 May 2020

@Ylianst is the setting supposed to be:

"__callbackurl": "https://mesh.example/auth-azure-callback",
OR
"callbackurl": "https://mesh.example/auth-azure-callback",

normally you use __ to comment something out, but all your examples in docs show it as __, so I don't know. It seems from my testing I need the __, but you show above without it.

MordyT on 27 May 2020

You normally don't need to set the "callbackurl", so if it works for you, keep the "_". Initially I just put that there to remind administrators of the callback URL that needed to be registered with the IDP.

However, as a result of this issue, you can new specify the callback URL that you want reported to the IDP. If you need to do that, remove the "_" and put the full URL.

Again, this is only if you need to do so. Hope that makes sense.

Ylianst on 27 May 2020

@Ylianst Thank you for your efforts on this, I can now login using Azure AD.

I'm happy for this to be closed off.

davscot on 27 May 2020

👍1

I don't know if i can reopen this, but i faced the same problem, with only the default domain and a reverse proxy : the host part was set to "localhost". I managed to resolve the problem using "callbackUrl" instead of "path" in the following part :
var options = {
callbackUrl: (typeof domain.authstrategies.saml.callbackurl == 'string') ? domain.authstrategies.saml.callbackurl : (url + 'auth-saml-callback'),
entryPoint: domain.authstrategies.saml.idpurl, issuer: 'meshcentral'
};
From the passport documentation, path is combined with host, or both are replaced by callbackUrl

cromra on 4 Jun 2020

Ok, changed it to "callbackUrl", it will be in v0.5.52 when it comes out. Don't hesitate to just open an new issue for this in the future.

Ylianst on 5 Jun 2020

👍1

Note that with this change, you MUST define the callbackUrl (you can't leave it with __ anymore)
Specifically relates to your comment here: https://github.com/Ylianst/MeshCentral/issues/1415#issuecomment-634447540

MordyT on 7 Jun 2020

Was this page helpful?

0 / 5 - 0 ratings