We've encountered very strange issue after deploying Umbraco to Azure App Service and enabling pre-authentication for it. Single Sign-On isn't enabled, so users have to authenticate twice: once to pass Azure AD pre-authentication, and once - on regular Umbraco login page.
When pre-auth is off, the HTTP requests sent when a user submits his credentials are:
POST request to /umbraco/backoffice/UmbracoApi/Authentication/PostLogin with 200 OK response,
GET request to /umbraco/ServerVariables with 200 OK response.
But when pre-authentication is enabled, then the 2nd request fails with 401 response and with text message You do not have permission to view this directory or page.
Any idea what could cause this? How can I know whether this request hit Umbraco at all?
Solved by adding this environment variable to the webapp, on its Configuration --> Application settings page:
WEBSITE_AUTH_DISABLE_IDENTITY_FLOW = true
Then the Thread.CurrentPrincipal ASP.Net variable used by Umbraco code isn't affected by the EasyAuth. As said here, "this is designed to allow developers to protect access to their site with auth, but still have it use a separate login mechanism within their app logic".
Umbraco forms login fails, if Azure App Service pre-authentication is enabled
Good day,
We've encountered very strange issue after deploying Umbraco to Azure App Service and enabling pre-authentication for it. Single Sign-On isn't enabled, so users have to authenticate twice: once to pass Azure AD pre-authentication, and once - on regular Umbraco login page.
When pre-auth is off, the HTTP requests sent when a user submits his credentials are:
/umbraco/backoffice/UmbracoApi/Authentication/PostLoginwith200 OKresponse,/umbraco/ServerVariableswith200 OKresponse.But when pre-authentication is enabled, then the 2nd request fails with
401response and with text messageYou do not have permission to view this directory or page.Any idea what could cause this? How can I know whether this request hit Umbraco at all?
Thanks, Mucius.
Umbraco version: 7.5.4 assembly: 1.0.6136.27241
Self-reply:
Turns out, the EasyAuth mechanism used by Azure to provide pre-authentication for webapps isn't completely isolated from the webapps code: https://shazwazza.com/post/getting-umbraco-to-work-with-azure-easy-auth
Solved by adding this environment variable to the webapp, on its
Configuration --> Application settingspage:Then the
Thread.CurrentPrincipalASP.Net variable used by Umbraco code isn't affected by the EasyAuth. As said here, "this is designed to allow developers to protect access to their site with auth, but still have it use a separate login mechanism within their app logic".is working on a reply...