Troubleshoot Azure AD login problems
If you are having problems logging in using Azure AD then here are some things you might want to check are configured correctly and a debug step you could try.
- In the Management Console navigate to Global Settings.
- Look up the ContensisGuiURL setting and check if the Setting Value has https:// defined at the start of it (non-https will not work).
Contensis registration with Azure AD
Has Contensis been registered correctly with Azure AD? Double check that all steps have been carried out correctly in the Register Contensis with Azure AD article.
- In the Management Console navigate to Global Settings and make sure that all settings have been set correctly by following the Configure Contensis to use AD FS article.
- Double check that you can access the metadata endpoint specified in the global setting WsFederation_MetadataEndpoint. To do this you can logon to the CMS server and run the following command in PowerShell:
Invoke-WebRequest https://adfs.contensis.com/FederationMetadata/2007-06/FederationMetadata.xml - UseBasicParsing
If the metadata endpoint is configured correctly you should get a StatusCode of 200 and the Content will start with <EntityDescriptor....
Machine.config machinekey validation
- Open the machine.config file on your CMS server. It can be found in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config
- Search for the following <machineKey>, you will see something like:
<machineKey validationKey="E1D4A7ACE716CC17B9BE3F1794AB117E7CB771B878253727" decryptionKey="E8969B07BF46F3FF659E008495F1EA5163EBDC0E50B6024E" validation="SHA1"/>
Make sure that the validation property is set to SHA1 and not anything else. If it is set to something else, change it and then restart IIS.
Debug using verbose logging
Follow the steps below to setup tracing on IdentityServer and then attempt to login using Azure AD or logout. Any issues should be seen in the logs.
Set up tracing on IdentityServer
<configuration> <system.diagnostics> <trace autoflush="true" indentsize="4"> <listeners> <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="%some directory%/Trace.log" /> <remove name="Default" /> </listeners> </trace> </system.diagnostics> </configuration>
- Add the xml above to the web.config file for the CMS instance, change the Contensis_DebugInfoLevel to Debug in the web.config.
- Ensure that the CMS has access to the directory specified in the initializeData setting.
- Save web.config.