Issues Deploying Blazor Server App with Azure Authentication

bmanstey 20 Reputation points
2024-12-05T14:00:53.0566667+00:00

I have a blazor app that i've built for my company that uses azure authentication. When testing it locally it works like a charm with the localhost certificate. Once i went to deploy to IIS on a web server I cannot get the app to allow sign in.

I have worked with the systems engineers at my company to create a certificate from our domain controller and uploaded this new certificate to Azure AD as well as updated the corresponding thumbprint in the appsettings file. The azure logs show success for the authentication, but I get a generic "We couldn't sign you in" message after attempting to login. It looks like webpage is looping when it's attempting the login (not sure if thats relevant). In IIS i have created a new site and using web deploy, deployed the application to the new site. The bindings are set to use https and the certificate (it was imported to the web server). Included below is my appsettings (obviously with the specifics redacted). Any indication as to what I'm doing wrong would be much appreciated.

"AzureAd": {

"Instance": "https://login.microsoftonline.com/",

"Domain": "MyCompany.com",

"TenantId": "REDACTED",

"ClientId": "REDACTED",

"ClientCertificates": [

{

"SourceType": "StoreWithThumbprint",

"CertificateStorePath": "CurrentUser/My",

"CertificateThumbprint": "REDACTED"

}

],

"CallbackPath": "/signin-oidc"

},

"MicrosoftGraph": {

"BaseUrl": "https://graph.microsoft.com/v1.0/me",

"Scopes": [ "user.read" ]

}

Internet Information Services
Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,636 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,093 questions
{count} votes

Accepted answer
  1. ajkuma 27,851 Reputation points Microsoft Employee
    2024-12-09T19:17:34.8466667+00:00

    bmanstey, Following-up from my comments.

    Scenario:
    Developed a Blazor Server application that integrates Azure Authentication/Azure AD/Microsoft Entra. The app works seamlessly on localhost during testing, using a localhost certificate. However, issues arise when deploying the application to IIS on a web server, specifically related to the Azure authentication process.

    Issue:

    When the application is deployed to IIS with a certificate created from the domain controller and uploaded to Azure AD (with the thumbprint updated in the appsettings file), the app fails to sign users in. Azure logs show successful authentication, but users encounter a "We couldn't sign you in" message. The browser appears to loop during the login process.

    Issue was resolved by @bmanstey (Thank you). Copied the answer/solution that worked.

    There were 2 issues that needed to be addressed to resolve this problem:

    1. When deploying to the IIS web server the certificate being used was a machine cert not a user cert so in the appsettings "CertificateStorePath": "CurrentUser/My" needed to be replaced with "CertificateStorePath": "LocalMachine/My".
    2. The account running the IIS application pool for the site needs to be granted access to the certificate used. The process for which can be found in this article. Providing IIS Application Pool Identity read access to a certificate in the Local Computer Personal Certificate Store
    • Note: This post contains URL to third party site (above) not monitored by Microsoft. Exercise caution while navigating within the site.

    Please click Accept Answer to benefit the community find answers quickly to similar question.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. bmanstey 20 Reputation points
    2024-12-06T14:16:36.42+00:00

    After extensive troubleshooting the issue has been resolved. There were 2 issues that needed to be addressed to resolve this problem.

    1. When deploying to the IIS web server the certificate being used was a machine cert not a user cert so in the appsettings "CertificateStorePath": "CurrentUser/My" needed to be replaced with "CertificateStorePath": "LocalMachine/My".
    2. The account running the IIS application pool for the site needs to be granted access to the certificate used. The process for which can be found in this article. Providing IIS Application Pool Identity read access to a certificate in the Local Computer Personal Certificate Store

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.