7. Troubleshooting

7.1. Diagnostic Mode

If module doesn’t work as you expect, it’s worth to enable “Diagnostic Mode”. This will output logs that describes how the module is working. They can also diagnose issues that can occur like: config errors, failed login process, etc. Logs are created in file that is located in ~\Portals\_default\LogsYYYY.MM.DD.logs.resources, see log example below:

Logs are created only when plugin is working in “Diagnostic Mode”, to enable it please follow steps below:

1. Open log4net configuration file DotNetNuke.log4net.config, it can be found in DNN root folder, see figure below:

   

2. Inside that file set log level to ALL, see code snippet below:

   <root>
       <level value="ALL" />
       <appender-ref ref="RollingFile" />
   </root>
   

3. Go to “AD-Pro Azure AD Connector” then “Other Settings” tab and enable option Diagnostic Mode, see figure below

   

4. Logging mechanism is turned on, reproduce the sign-in process and check the log file.

7.2. How generate diagnostic logs

Please follow the instructions below on how to generate valuable logs.

1. First enable diagnostic mode, to do that see instructions from section Diagnostic Mode

2. Log file is usually very big, which makes it difficult to parse. To remove unncecessary informations, delete log file, before you will reproduce the issue.

   Default path to log file is: ~\Portals\_default\Logs\YYYY.MM.DD.resoures

3. Reproduce the issue to generate log entries.

4. Compress log file, and send it to support@glanton.com

7.3. JavaScript issues

7.3.1. Overview

User interface is created at the top of AngularJS framework. JavaScript can be moody although it’s very fast. If you will see interface issues, for example view can’t be loaded or displayed, buttons aren’t responding, it’s worth to check JavaScript errors. Depending what browser you are using, check following articles that are describing how to display these errors in your browser:

• display JavaScript errors in Chrome
• display JavaScript errors in FireFox
• display JavaScript errors in Internet Explorer

If you have any problems with your plugin, please send above error messages to support@glanton.com

7.3.2. Edit & Delete buttons doesn’t work

When you can’t update module settings, and JavaScript throws error like Method Not Allowed... or requests throws 405 HTTP error code, please make sure that WebDAV is disabled. To disable WebDAV, please add following lines to the web.config file, in the section system.webServer-> modules add following line:

<modules>
    <remove name="WebDAVModule"/> <!-- add this -->
    ...
</modules>

in the section system.webServer-> handlers add following line:

<handlers>
    <remove name="WebDAV" />
    ...
</handlers>

the ExtensionlessUrl-Integrated-4.0 handler under the system.webServer-> handlers also applies the verb PUT:

<handlers>
    ...
    <remove name="ExtensionlessUrl-Integrated-4.0" />
    <add name="ExtensionlessUrl-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    ...
</handlers>

Here you can read more about WebDAV.

If this will not help add following code snippet to the web.config:

<modules runAllManagedModulesForAllRequests="true">
  <!--IISFIX: Whatever this is, it causes 405 Method Not Allowed errors on IIS when using PUT. (Microsoft's broken by defult)-->
  <remove name="WebDAVModule"/>
</modules>
<handlers>
     <!--IISFIX: ASP.net is broken by default. By default they will not accept verbs from the client.
     First we have to rip out everything related to ASP.net-->
    <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit"/>
    <remove name="ExtensionlessUrlHandler-Integrated-4.0"/>
    <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit"/>
    <remove name="SimpleHandlerFactory-ISAPI-2.0-64"/>
    <remove name="SimpleHandlerFactory-ISAPI-2.0"/>
    <remove name="SimpleHandlerFactory-Integrated"/>
    <remove name="SimpleHandlerFactory-Integrated-4.0"/>
    <remove name="SimpleHandlerFactory-ISAPI-4.0_64bit"/>
    <remove name="SimpleHandlerFactory-ISAPI-4.0_32bit"/>
        <!-- IISFIX: Now that we're ripped out everything related to ASP.net, put them back correctly.-->
    <add name="SimpleHandlerFactory-ISAPI-4.0_32bit" path="*.ashx" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0"/>
    <add name="SimpleHandlerFactory-ISAPI-4.0_64bit" path="*.ashx" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0"/>
    <add name="SimpleHandlerFactory-Integrated-4.0" path="*.ashx" verb="*" type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0"/>
    <add name="SimpleHandlerFactory-Integrated" path="*.ashx" verb="*" type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode"/>
    <add name="SimpleHandlerFactory-ISAPI-2.0" path="*.ashx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv2.0,bitness32" responseBufferLimit="0"/>
    <add name="SimpleHandlerFactory-ISAPI-2.0-64" path="*.ashx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv2.0,bitness64" responseBufferLimit="0"/>
    <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0"/>
    <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0"/>
    <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0"/>

    <!--IISFIX: WebDAV is also buggy, and interferes with client requests-->
    <remove name="WebDAV"/>

</handlers>

7.3.3. Settings panel not loaded

If website is working at the top of HTTPS protocol and it’s behind the load balancer there could be issue where the user interface is not displayed at all. Usually it’s because JavaScript files reqired by the AD-Pro plugin are trying to be requested via HTTP protocol instead of HTTPS. To confirm that please check the source code of the DNN page where the Glanton plugin is (click CTRL+U), and look for a string SERVER_DOMAIN or SERVER_DOMAIN_JS, see attached picture.

To correct this issue the DNN website needs to know that we are using HTTPS.

1. Sign in as DNN Administrator or Host.

2. Go to “Security” menu, see figure below.

   

3. Click on tab “More” then “SSL SETTINGS”. Enable option “SSL Enabled” and save settings, see figure below.

   

4. To confirm check the page source once again.

7.3.4. View can’t be loaded

If you see situation like on figure below, where only upper part of interface is loaded and instead of bottom part of interface is displayed message Top level state template, probably it’s caused by minified js file.

To fix that issue sign in as DNN host and go to menu “Servers-> Server Settings”. At the bottom is section responsible for reducing Java Script files, please disable Minify JS attribute. See figure below for more info.

7.4. Could not load ‘Microsoft.IdentityModel.Protocol.Extensions’

If error message from figure below appears, disable OWIN pipeline.

Usually this message informs about missing librarie(s), in this case it’s Microsoft.IdentityModel.Protocol.Extensions.dll library. Disabling OWIN won’t fix this issue, but at least it should allow start DNN website.

7.5. OwinStartupAttribute

If you get an error message like:

The following errors occurred while attempting to load the app.
- No assembly found containing an OwinStartupAttribute.
- No assembly found containing a Startup or [AssemblyName].Startup class.
To disable OWIN startup discovery,
add the appSetting owin:AutomaticAppStartup with a value of "false" in your web.config.

Same error message is on figure below:

This error message is displayed because in web.config file, the OWIN startup library wasn’t declared. To fix that issue please do one of the following:

• disable OWIN in web.config file by applying code snippet below, see this section for more details:

  <add key="owin:AutomaticAppStartup" value="false" />
  

• remove GS.AzureADConnector.dll file from DNN bin directory. This will exclude “AD-Pro Azure AD Connector” from DNN, but I hope that your DNN website will start.

7.6. Response status code does not indicate success

When playing with “AD-Pro Azure AD Connector” you can come across some errors. Below are some examples of one and the same error: Unable to get document from.

• response message with status code 400

• exception like Response status code does not indicate success

• below is example of exception stack:

  Response status code does not indicate success: 400 (Bad Request).
  [HttpRequestException: Response status code does not indicate success: 400 (Bad Request).]
  [IOException: Unable to get document from:
  https://login.microsoftonline.com/.well-known/openid-configuration]
  [InvalidOperationException: IDX10803: Unable to create to obtain configuration from:
  'https://login.microsoftonline.com/.well-known/openid-configuration'.]
  

• print screen with exception

  

This could be raised be the wrong Tenant. Please double make sure that Tenant is correct, and it’s without https:// at the begining.

7.7. Newtonsoft library issue

If you get exception like:

Could not load file or assembly 'Newtonsoft.Json' or one of its dependencies.
The located assembly's manifest definition does not match the assembly reference.
(Exception from HRESULT: 0x80131040)

same error is on print screen below:

and on print screen below:

To fix that issue compare version of the Newtonsoft.dll library in DNN bin folder, and corresponding entry in web.config file. Versions should be the same. See figures below for reference:

• DNN bin folder:

  

• In the web.config config file, under <configuration><runtime><assemblyBinding> node, is Newtonsoft.Json entry that should have the same version as file in DNN bin folder.

  

7.8. AADSTS50011: Reply url

If you get error message like:

AADSTS50011: The reply address ‘https://dnn804v2.dev/’ does not match the reply addresses configured for the application: ‘c7b299aa-0abd-4fb5-a5a1-25b22375773d’. More details: not specified

Please double check Redirect URI in:

• Azure AD Application,
• and “AD-Pro Azure AD Connector”,

If you get message like:

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ‘03f6bf15-2f44-4854-96a5-5d1298bdc181’. More details: Reply address did not match because of case sensitivity.

Double check the case sensitivity of “reply address” specified in DNN “Azure AD Connector” options and “reply address” specified in Azure Application settings.

Section with more info about Redirect URI.

7.9. User or administrator has not consented

If you get an error like:

AADSTS65001: The user or administrator has not consented to use the application with ID {your app id} named {your app name}. Send an interactive authorization request for this user and resource. Trace ID: 48c289ae-b6b9-4b4a-bb7b-e7f553ff0500 Correlation ID: 8918cc39-ed83-4076-b849-aabcb4fefba3 Timestamp: 2018-09-10 05:38:52Z

You need to grant admin consent for your app. To do that:

1. Sign in to Azure.

2. Go to Azure Active Directory.

3. Go to Enterprise Applications and select your appplication.

4. Go to Permissions tab and click on Grant admin consent for {YourDirectoryName}, see figure below.

   

5. This will redirect you to the login popup, and then to the permission popup. Click on Accept button, see figure below.

   

7.10. AADSTS70001 Application disabled

If at the login process you get message like on figure below.

Sorry, but we’re having trouble signing you in. AADSTS70001: Application ‘{Your-AzureApplication-ID}’ is disabled.

Probably “Azure AD” application is disabled for users to sign in. Please execute steps below to enable application.

1. Sign in to Azure.

2. Go to Azure Active Directory.

3. Go to Enterprise Applications and select your appplication.

4. Under Properties tab, make sure that option Enabled for users to sign-in is enabled, see figure below.

   

5. Save settings, wait few minutes that changes will be propagated.

7.11. AADSTS50020 MSA token redemption

If you get an error message like:

AADSTS50020: MSA guest token redemption attempt on v2 common endpoint. Trace ID: 94f89166-5972-48d9-b14f-413040aa0d00 Correlation ID: db30ed0e-f0ff-49a5-8fde-fab6edc87289 Timestamp: 2018-09-10 07:55:55Z

7.12. AADSTS70000: Request denied

If at the login process you get error mesage like

AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope. Trace ID: ddc6de4c-59ac-47d7-8962-b90a0aff7a00 Correlation ID: f0db342c-678d-495b-83c0-b44474731e33 Timestamp: 2018-11-22 08:54:12Z

7.13. IDX10222: Lifetime validation

If at the login process you get error mesage like

IDX10222: Lifetime validation failed. The token is not yet valid. ValidFrom: ‘12/12/2018 10:14:19’ Current time: ‘12/11/2018 23:48:52’.

Make sure that date and time on your end is valid.

7.14. The client and server cannot communicate

If you notice error messages like:

The client and server cannot communicate, because they do not possess a common algorithm

[Win32Exception (0x80004005): The client and server cannot communicate, because they do not possess a common algorithm]

[WebException: The underlying connection was closed: An unexpected error occurred on a receive.]

[HttpRequestException: An error occurred while sending the request.]

[IOException: Unable to get document from: https://login.microsoftonline.com/FoulstonSiefkin.onmicrosoft.com/v2.0/.well-known/openid-configuration]

[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: ‘https://login.microsoftonline.com/FoulstonSiefkin.onmicrosoft.com/v2.0/.well-known/openid-configuration’.]

7.15. IDX10311: RequireNonce is ‘true’

If you get exception like:

IDX10311: RequireNonce is ‘true’ (default), but validationContext.Nonce is null. A nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’.

This error occurs when an DNN is not able authenticate via Azure AD due to nonce cookie related issues. If DNN website uses both URL’s, with and without www. Make sure that application on Azure AD, under Redirect URI has also both URL addresses, with and without www`. For example: https://dnn800.test/login and https://www.dnn800.test/login

7.16. Service Unavailable

There may be a situation when after clicking ‘Login to Azure Active Directory’ button, login porocess hangs and web browser displays Service Unavailable message with 503 HTTP code, like on figure below.

The ‘Azure AD’ will hang login procedure if DNN website wasn’t hosted under https protocol. Simply change DNN website URL from http:// to https:// and try once again. To force HTTPS protocol for all requests a simple rewrite rule can be added, see here for reference.