Skip to main content
Browse Documentation

Troubleshoot Azure AD login problems

Created by j.moore, last modified by r.turner on 22 Jul 2020

If you are having problems logging in using Azure AD then here are some things you might want to check are configured correctly and a debug step you could try.

CMS URL

  1. In the Management Console navigate to Global Settings.
  2. Look up the ContensisGuiURL setting and check if the Setting Value has https:// defined at the start of it (non-https will not work).

Contensis registration with Azure AD

Has Contensis been registered correctly with Azure AD? Double check that all steps have been carried out correctly in the Register Contensis with Azure AD article.

CMS settings

  1. In the Management Console navigate to Global Settings and make sure that all settings have been set correctly by following the Configure Contensis to use AD FS article.
  2. Double check that you can access the metadata endpoint specified in the global setting WsFederation_MetadataEndpoint. To do this you can logon to the CMS server and run the following command in PowerShell:
Invoke-WebRequest https://adfs.contensis.com/FederationMetadata/2007-06/FederationMetadata.xml - UseBasicParsing

If the metadata endpoint is configured correctly you should get a StatusCode of 200 and the Content will start with <EntityDescriptor....

Machine.config machinekey validation

  1. Open the machine.config file on your CMS server. It can be found in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config
  2. Search for the following <machineKey>, you will see something like:
<machineKey validationKey="E1D4A7ACE716CC17B9BE3F1794AB117E7CB771B878253727" decryptionKey="E8969B07BF46F3FF659E008495F1EA5163EBDC0E50B6024E" validation="SHA1"/>

Make sure that the validation property is set to SHA1 and not anything else. If it is set to something else, change it and then restart IIS.

Debug using verbose logging

Follow the steps below to setup tracing on IdentityServer and then attempt to login using Azure AD or logout. Any issues should be seen in the logs. 

Set up tracing on IdentityServer

<configuration>  
         <system.diagnostics>
      <trace autoflush="true"
             indentsize="4">
        <listeners>
          <add name="myListener"
               type="System.Diagnostics.TextWriterTraceListener"
               initializeData="%some directory%/Trace.log" />
          <remove name="Default" />
        </listeners>
      </trace>
    </system.diagnostics>
  </configuration>
  1. Add the xml above to the web.config file for the CMS instance, change the Contensis_DebugInfoLevel to Debug in the web.config.
  2. Ensure that the CMS has access to the directory specified in the initializeData setting.
  3. Save web.config.
Necessary Cookies
These cookies are necessary for this website to function correctly. They are set when you perform certain actions on the site, such as creating an account, logging in, changing your privacy preferences or submitting a form. You can block these cookies in your browser, but this will stop parts of the site from working properly.
Functional Cookies
These cookies allow the website to provide extra functionality and more personalised experiences. They may be set by us or by third party providers whose services we have added to our pages. If you choose not to allow these cookies, these services may not work correctly.
Analytical Cookies
These cookies record anonymous data on how visitors use our website to help us monitor how well our website works. This data includes how many people have looked at specific pages, how long visitors stay on the site, and what devices they use. We use this data to identify changes that we could make to improve your experience and make our website more efficient.
Marketing Cookies
We set some cookies so you are shown more relevant marketing content. These include cookies from third-party advertising networks to show you different adverts on their services if you have previously visited our site. If you choose not to allow these cookies, you may experience less relevant advertising on other sites.