应用程序''未配置为多租户应用程序 [英] Application '' is not configured as a multi-tenant application

问题描述

我正在尝试开发单租户应用程序，并且在登录时收到以下错误消息:

I am trying to develop a single-tenant application and I am receiving the following error message when signing in:

应用程序'(应用程序ID)'未配置为多租户应用程序.在'10/15/2018'之后创建的此类应用程序不支持使用/common端点.请使用特定于租户的端点或将应用程序配置为多租户."

"Application '(app ID)' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant."

1. 我已在Azure AD门户的应用程序注册" =>身份验证" =>支持的帐户类型"部分下验证了仅此组织目录中的帐户"(######仅-已选择单租户"选项.

1. I verified in the Azure AD portal, under the 'App Registrations' => 'Authentication' => 'Supported Account Types' section, that the 'Accounts in this organizational directory only (###### only - Single tenant)' option had been selected.

然后，我在我的代码中确定了" https://login.microsoftonline.com/ {tenantID}'端点正在使用中.换句话说，在代码的任何地方都没有提到"/common"端点.

I then made certain, inside my code, the 'https://login.microsoftonline.com/{tenantID}' endpoint is in use. Stated differently, there is no mention of the '/common' endpoint anywhere in the code.

    Private Shared appId As String = ConfigurationManager.AppSettings("ida:ClientId")
    Private Shared appSecret As String = ConfigurationManager.AppSettings("ida:ClientSecret")
    Private Shared redirectUri As String = ConfigurationManager.AppSettings("ida:PostLogoutRedirectUri")
    Private Shared graphScopes As String = ConfigurationManager.AppSettings("ida:AppScopes")
    Private Shared sAzureAdInstance As String = "https://login.microsoftonline.com/"
    Private Shared sTenant As String = ConfigurationManager.AppSettings("ida:TenantId")
    Private Shared sAuthority As String = sAzureAdInstance & sTenant

    Public Sub ConfigureAuth(ByVal app As IAppBuilder)
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
        app.UseCookieAuthentication(New CookieAuthenticationOptions())
        app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions With {
            .ClientId = appId,
            .Scope = $"openid email profile offline_access {graphScopes}",
**            .Authority = sAuthority, **
            .RedirectUri = redirectUri,
            .PostLogoutRedirectUri = redirectUri,
            .TokenValidationParameters = New TokenValidationParameters With {
                .ValidateIssuer = False
            },
            .Notifications = New OpenIdConnectAuthenticationNotifications With {
                .AuthenticationFailed = AddressOf OnAuthenticationFailedAsync,
                .AuthorizationCodeReceived = AddressOf OnAuthorizationCodeReceivedAsync,
            }
        })

    End Sub

我希望我的应用程序以单租户模式运行.我找不到与此问题有关的有意义的文档.

I am expecting my app to run in single-tenant mode. I am unable to find meaningful documentation relating to this issue.

我在代码中隔离了错误的方法，下面的代码片段显示了其上下文:

I have isolated the erroneous method in my code and the following snippet shows its context:

Dim signedInUser = New ClaimsPrincipal(notification.AuthenticationTicket.Identity)
Dim idClient As IConfidentialClientApplication = ConfidentialClientApplicationBuilder.Create(appId).WithRedirectUri(redirectUri).WithClientSecret(appSecret).Build()
Dim scopes As String() = graphScopes.Split(" "c)
'NOTE:  The scopes string array contains the following two values: User.Read and Calendars.Read.
Dim authResult = Await idClient.AcquireTokenByAuthorizationCode(scopes, notification.Code).ExecuteAsync()
'EXECUTION HALTS HERE

我无法识别 AcquireTokenByAuthorizationCode()方法与错误消息之间的相关性.对我来说，可能出了什么问题不是很容易.

I cannot discern the correlation between the AcquireTokenByAuthorizationCode() method and the error message. It is not readily apparent to me what might be wrong.

我们非常感谢您的协助.

Any assistance is greatly appreciated.

推荐答案

我对vb不太熟悉，但是通过引用c#代码，您可以手动指定Authority:

I am not very familiar with vb, but by referring to the c# code, you may manually specify the Authority :

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/common/v2.0
        Authority = Globals.Authority,
        ClientId = Globals.ClientId,
        RedirectUri = Globals.RedirectUri,
        PostLogoutRedirectUri = Globals.RedirectUri,
        Scope = Globals.BasicSignInScopes + " Mail.Read", // a basic set of permissions for user sign in & profile access "openid profile offline_access"
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = false,
            // In a real application you would use IssuerValidator for additional checks, like making sure the user's organization has signed up for your app.
            //     IssuerValidator = (issuer, token, tvp) =>
            //     {
            //        //if(MyCustomTenantValidation(issuer))
            //        return issuer;
            //        //else
            //        //    throw new SecurityTokenInvalidIssuerException("Invalid issuer");
            //    },
            //NameClaimType = "name",
        },
        Notifications = new OpenIdConnectAuthenticationNotifications()
        {
            AuthorizationCodeReceived = OnAuthorizationCodeReceived,
            AuthenticationFailed = OnAuthenticationFailed,
        }
    });

似乎默认情况下将使用https://login.microsoftonline.com/common/v2.0.因此，您可以将值更改为https://login.microsoftonline.com/{your_tenant}/v2.0

It seems that https://login.microsoftonline.com/common/v2.0 will be used by default. So you may change the value to https://login.microsoftonline.com/{your_tenant}/v2.0

更新:

您可以创建一个新的vb Web项目，然后选择使用Azure AD单租户身份验证.

You can create a new vb web project, and choose to use Azure AD single tenant authentication.

然后您将获得一个可行的示例:

And then you will get a workable sample:

Partial Public Class Startup
    Private Shared clientId As String = ConfigurationManager.AppSettings("ida:ClientId")
    Private Shared aadInstance As String = EnsureTrailingSlash(ConfigurationManager.AppSettings("ida:AADInstance"))
    Private Shared tenantId As String = ConfigurationManager.AppSettings("ida:TenantId")
    Private Shared postLogoutRedirectUri As String = ConfigurationManager.AppSettings("ida:PostLogoutRedirectUri")
    Private Shared authority As String = aadInstance & tenantId

    Public Sub ConfigureAuth(app As IAppBuilder)
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)

        app.UseCookieAuthentication(New CookieAuthenticationOptions())

        app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions() With {
            .ClientId = clientId,
            .Authority = authority,
            .PostLogoutRedirectUri = postLogoutRedirectUri
        })
    End Sub
*
*
End Class

还支持指定授权机构.您会看到它已设置为aadInstance& tenantId

It is also supported to specify the Authority. And you can see that it has been set to aadInstance & tenantId

如果要使用Azure AD v2，则需要使用v2.0终结点.

If you want to use Azure AD v2, you need to use v2.0 endpoint.

这篇关于应用程序''未配置为多租户应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！