1

We have a Python Linux azure function that is connected to a custom oidc provider and azure ad to provide authentication to the HTTP triggered functions using Microsofts easyauth.

After the initial setup, the azure function was working and has been working for the last few months.

In the last 2 days, our application suddenly started to error out on our custom provider, the azure ad authentication is still working, after checking the easyauth logs, we see the error

System.PlatformNotSupportedException: Windows Cryptography Next Generation (CNG) is not supported on this platform.

No changes were made on either the custom oidc provider or the azure function in the last 2 days. We suspect that maybe the base easyauth docker image (mcr.microsoft.com/appsvc/middleware:stage2) got updated and that broke the authentication.

Any ideas or suggestions on possible fixes or even related problems?

HugoS99
  • 13
  • 2
  • After searching, we have come to understand that it might be related to the EasyAuth version we were able to manipulate our version by setting the "WEBSITE_CUSTOM_MIDDLEWARE_VERSION" environment variable to value "stage2" this changed the version of easyauth from 1.6.2 to 1.5.1 which resolved the problem for us. – HugoS99 Nov 08 '22 at 09:16
  • Update: today, the problem returned since we are connected to a relative tag value, the application reverted at least in some instances, to the old version and the error returned – HugoS99 Nov 08 '22 at 11:05
  • Also having this issue with App Service hosted on Ubuntu latest. Here's a partial trace: 2022-11-08T15:54:32.026117357Z [41m[30mfail[39m[22m[49m: Microsoft.AspNetCore.Server.Kestrel[13] 2022-11-08T15:54:32.026164657Z Connection id "", Request id "": An unhandled exception was thrown by the application. 2022-11-08T15:54:32.032132517Z System.PlatformNotSupportedException: Windows Cryptography Next Generation (CNG) is not supported on this platform. 2022-11-08T15:54:32.033581131Z at System.Security.Cryptography.RSACng..ctor() – thecoolestname36 Nov 08 '22 at 16:00

4 Answers4

1

Could it be due to this: https://github.com/Azure/app-service-announcements/issues/404

Use RSACNG when validating tokens to add PS256 support

EDIT: Also experiencing this issue as of this morning. I'm currently trying to manually downgrade the version using this command az webapp auth update --name xxx --resource-group xxx --runtime-version "1.5.1" but my Azure credentials don't have enough power to run that so I can't validate if it works or not.

EDIT2: Doesn't work if you are using auth v2.

EDIT3: It actually does work if you are using auth v2. You just have to check the help options of the command to realize that for auth v2 you have to install a CLI extension with command az extension add --name authV2. After that you can run the commands. I downgraded the version to 1.5.1 but nothing changed. I'm not sure if it has something to do with the fact that we are deploying to a slot first which probably had the new version still. I have also created an Azure support ticket about this.

EDIT4: Got in to a support call with Azure yesterday. They fixed the issue during the night. A restart of the application is required. I'm still baffled by the fact that the documentation shows that you can pinpoint the version of Easy Auth / Authentication/Authorization middleware but when I go to troubleshoot my AppService and select Easy Auth it actually shows that the pinpointed version is 1.5.1 and the running version is 1.6.2. So it just totally ignores the whole configuration. Fun, right?

Akseli Käppi
  • 26
  • 2
  • Hello Akseli. I have tried your command exactly and I get a bad request error which is weird since I am a Admin on all levels in this subscription – HugoS99 Nov 08 '22 at 11:03
  • Well that definitely is weird. I got it straight from documentation here: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-api-version#update-the-current-runtime-version – Akseli Käppi Nov 08 '22 at 11:17
  • Oh crap. Running this with --debug revealed that it doesn't work if you are using auth v2 – Akseli Käppi Nov 08 '22 at 11:21
0

we have started to see this as well on some of our instances, the worrying thing is that we have multiple running instances and it is working in some and not in some. we "solved" the issue on one production instance by redeploying the function app, it is setup through terraform and a destroy of the function app and then a create made it work again.

Fredrik
  • 13
  • 3
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Nov 08 '22 at 11:36
0

Exact same issue there.

2 app services (one for prod and one for dev located in France central region) using an Azure AD app in an other Azure B2C tenant for authentication (https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#-option-2-use-an-existing-registration-created-separately) were working for about 1 year.

Then after the deployment of a new container version of our app in the "dev" app service, the authentication broke en DEV only and we started receiving ERROR 500 message when we are being redirected to the /.auth/login/aad/callback endpoint after the authentication is done in Azure B2C.

By inspecting the app service log we have these logs :

2022-11-08T08:47:28.449645417Z [41m[30mfail[39m[22m[49m: Microsoft.AspNetCore.Server.Kestrel[13]
**2022-11-08T08:47:28.449692217Z       Connection id "0HMM1CIPP8I5M", Request id "0HMM1CIPP8I5M:00000004": An unhandled exception was thrown by the application**.
2022-11-08T08:47:28.450647224Z System.PlatformNotSupportedException: Windows Cryptography Next Generation (CNG) is not supported on this platform.
2022-11-08T08:47:28.451187128Z    at System.Security.Cryptography.RSACng..ctor()
2022-11-08T08:47:28.451205328Z    at Microsoft.Azure.AppService.Middleware.JsonWebKey.GetSecurityKeys() in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/JsonWebKey.cs:line 100
2022-11-08T08:47:28.451422129Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectConfiguration.GetJwtValidationParameters(String siteName, String clientId, String authenticationType, String allowedAudiences) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/OpenIdConnectConfiguration.cs:line 114
2022-11-08T08:47:28.457668471Z    at Microsoft.Azure.AppService.Middleware.AzureActiveDirectoryProvider.GetOpenIdConnectValidationParameters(ConfigManager oidcConfigManager, Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/AzureActiveDirectoryProvider.cs:line 1131
2022-11-08T08:47:28.457685071Z    at Microsoft.Azure.AppService.Middleware.AzureActiveDirectoryProvider.HandleServerDirectedLoginAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/AzureActiveDirectoryProvider.cs:line 518
2022-11-08T08:47:28.457689872Z    at Microsoft.Azure.AppService.Middleware.IdentityProviderBase.OnCompleteServerDirectedLoginAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/IdentityProviderBase.cs:line 655
2022-11-08T08:47:28.457693772Z    at Microsoft.Azure.AppService.Middleware.IdentityProviderBase.TryHandleProtocolRequestAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/IdentityProviderBase.cs:line 185
2022-11-08T08:47:28.457697572Z    at Microsoft.Azure.AppService.Middleware.EasyAuthModule.OnBeginRequestAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/EasyAuthModule.cs:line 220
2022-11-08T08:47:28.457818072Z    at Microsoft.Azure.AppService.Middleware.NetCore.AppServiceMiddleware.InvokeAsync(HttpContext context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.NetCore/AppServiceMiddleware.cs:line 102
2022-11-08T08:47:28.457928173Z    at Microsoft.Azure.AppService.MiddlewareShim.AutoHealing.AutoHealingMiddleware.Invoke(HttpContext context) in /EasyAuth/Middleware.Host/AutoHealing/AutoHealingMiddleware.cs:line 55
2022-11-08T08:47:28.457939473Z    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

Creating a new app in an other app service plan did not improve the situation so we have opened a support ticket/case at Microsoft. This issue has nothing to do with our application.This issue is 100% related to a change that might happened at Microsoft.

Let's keep in touch on this thread to share knowledge about this issue.

Fabien Soulis
  • 1
  • 1
  • I added the "WEBSITE_CUSTOM_MIDDLEWARE_VERSION" environment variable to value "stage2" but now i have an error when browsing : :( Application Error If you are the application administrator, you can access the diagnostic resources.. Diagnostic logs says " Warning 2022-11-08T11:00:44.334 ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"manifest for appsvc/middleware:stage2 not found: manifest unknown: manifest unknown"}" – Fabien Soulis Nov 08 '22 at 11:39
0

issue is solved after restarting the azure app services

Bharath Nagandla
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Nov 12 '22 at 16:05