Wednesday, January 6, 2016

Azure Active Directory - Get Tenant Id from Tenant Name

This question "How do I get my Tenant Id?" has come up several times so I though I will blog it.

You can do that my going to where TenantName is the one of the domain name of your tenant.

For example, will return

{"authorization_endpoint":"","token_endpoint":"","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt"],"jwks_uri":"","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","token id_token","token"],"scopes_supported":["openid"],"issuer":"","claims_supported":["sub","iss","aud","exp","iat","auth_time","acr","amr","nonce","email","given_name","family_name","nickname"],"microsoft_multi_refresh_token":true,"check_session_iframe":"","end_session_endpoint":"","userinfo_endpoint":""}

This contains my Tenant Id 46650ea8-7413-4415-82c6-f891fc15a31e

Monday, September 28, 2015

One or more errors occurred while publishing Azure Cloud Service from Visual Studio

Recently, I was trying to publish my Azure Cloud Service from Visual Studio and was getting an error "One or more errors occurred".

I couldn't find any more details in the Output window and was wondering what went wrong
Finally I looked at Server Explorer and it showed "Reneter your credentials".

After right clicking and re-entering the credentials, I was finally able to publish the cloud service.

Friday, August 28, 2015

AADSTS65001: No permission to access user information is configured for xxx' application, or it is expired or revoked

Recently, I had built an AAD application in my tenant with the permission “Enable single sign-on and read user’s profile”.

The application didn’t have admin consent so any time a user would login to my site, he would be asked for consent. I had some users who had consented to my app.

After some time, I added another permission “Access Azure Service Management” to my app and I was able to login fine. Users who had never consented to my app earlier could also sign in. However, users who had already consented to my app before I added the new permission started seeing this error “AADSTS65001: No permission to access user information is configured for xxx' application, or it is expired or revoked. “

I was really confused why the app works for some users but not for others.

After understanding the pattern that the error occurs only for users who had already consented, I asked them to perform the following work around:

  1. Go to
  2. Remove the app
  3. Sign in again to the app in a fresh browser session
  4. Now you will see the consent prompt for two permission
  5. Grant consent   

After this, all users were able to login successfully.

Tuesday, March 31, 2015

FiddlerCore - ByPass Intranet Traffic

Found a nice trick to bypass intranet traffic while using fiddler core.

CONFIG.sHostsThatBypassFiddler = "<local>";

Friday, February 27, 2015

Comparing X509Certificate Subject with User Input

Recently I encountered an issue where I was comparing the certificate name of an X509Certificate with a user input.
The issue was that the subject a user would see on the certificate property has spaces in it
E.g. CN = xxx

However, when querying the subject of an X509Certificate2 object, it won’t have any spaces in it
E.g. CN=xxx

This would make the subject comparison fail
The fix was to use X500DistinguishedName for comparison of subject. Below is a snippet    

X509Certificate2 certificate = new X509Certificate2(@"xxx.cer");
// certificate.Subject results in CN=xxx
            X500DistinguishedName certificateSubjectname = new X500DistinguishedName(certificate.Subject);
            X500DistinguishedName configuredSubjectname = new X500DistinguishedName("CN = xxx");
            bool result = string.Equals(certificateSubjectname.Decode(X500DistinguishedNameFlags.None), configuredSubjectname.Decode(X500DistinguishedNameFlags.None), StringComparison.CurrentCulture);


Monday, November 24, 2014

Capturing traffic from .Net app to https://localhost using Fiddler

Recently I was trying to capture traffic from my .Net help to a site hosted in IIS Express at  https://localhost:port
The issue was that fiddler wasn't capturing these requests. I found various alternatives like using IP address or machine name but that would results in certificate errors due to host name mismatch.

Finally found the option of using https://localhost.fiddler:port instead of https://localhost:port which would then capture the traffic in Fiddler.