5

Scenario:

When I started to do a test with AAD B2C Custom policy, I used this sample: active-directory-b2c-custom-policy-starterpack/SocialAndLocalAccounts/

I referred to this documentation to get started.

I followed those steps and changed some values in the samples and have double checked the client_id and resource_id. When I tried to run the signup or signin policy,I failed to signin with a local account with error:(Though I can signin with soical account)

Invalid username or password

I used Fiddler to catch the traffic, here is the request and response when I came across the error:

Request:

POST



https://login.microsoftonline.com/yangsa.onmicrosoft.com/B2C_1A_signup_signin/SelfAsserted?tx=StateProperties=eyJUSUQiOiI1NjMyNTc1OS1lZjFiLTRhNzctYmRkOS1jOGRjZmZhZmUxZGEifQ&p=B2C_1A_signup_signin HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
X-CSRF-TOKEN: RUF6Zk1MMFBHcVQxeHlNV2x0K2dnN21SVy9aMlN3M1R1WmxSOWdOUXhFTitDaGxOTFJoVGgwWFNLT0lKZ2JCcHdETFR1aUxtNFVDMmp0R2NkOE1RNXc9PTsyMDE4LTA3LTEyVDEwOjMzOjMyLjMyNjM0MTJaOy9IY3JiQmxESUhEcEQ4SWd1SXp6Q1E9PTt7Ik9yY2hlc3RyYXRpb25TdGVwIjoxfQ==
X-Requested-With: XMLHttpRequest
Referer: https://login.microsoftonline.com/yangsa.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin&client_id=cec7ec64-0a28-4914-ab1a-8f951fd27b1d&nonce=defaultNonce&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid&response_type=id_token&prompt=login
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: login.microsoftonline.com
Content-Length: 69
Connection: Keep-Alive
Cache-Control: no-cache
x-ms-RefreshTokenCredential: eyJhbGciOiJIUzI1NiIsICJjdHgiOiJ3ejBCZW9uc0NWNkE4bVRNQURzZ29hcnl1bWV5VlFzbyJ9.eyJyZWZyZXNoX3Rva2VuIjoiQVFBQkFBQUFBQURYelozaWZyLUdSYkRUNDV6TlNFRkVoQWRiOXlnU2RyMjVfdzBtUzZaQTB3U2dlWmFNWUNzQmlxUTUyQnBzZ0w5ZUZqeXpPZXduX3MzblFsSnFyUWNsRTNzM205QVEzd0VsRC1OVDNFQ2VDank5SDFFQnVmLTFyRVd6T2JKTFNnc240ODc3SFY3UU15ZUlOZmhfWnFYWE1kMDFSRjUtZVJBWEl1TElmUTA1Ym9sa21wMmM2OTBZdmtzZFE0SEhjOTF2eXh2c2xqcUU2N3RVQ0l4a012Q2Z5UG9fUldLTlRtNUMwOXhVUzRBRFFXWlZLQVdETDJSU1dsT1BHcXBCQnR3Y2ZmTW1HdldZSll2RTZfQU5BQkduNGwwdm9neHB5ek8yVmY1V0hFdUVvUEgzWXcxenQ3UUd3T0lFZWlJMFRneFBtN0ZYempFWUVGd2lwckFYSmxYY3JMQ2M3Q0JpY3ktckRoQmRJaFBaLXFDbWU2SlVhU19HQjZRZzR1QnFzdmlVZjgwRWxoUmZZVnZISXp6R0tEQ1lWOXhmVkd3c3VLOFJaLVQ5dlZ1bGdGX0dqS1J3aWI1NWd2SVo2TkhjRWRXaEtoLXBtRVNRVnpHd3pxWXp3cXVxVUROMFU4ZTh0WmdmY0dsNGR2M2Vrc0NBR3lzSHdqa2RvRGRlc19FemZ2NllpdU1XcUFHbE5rWVFjQnBaRnFacEtjUHlocjhhdzFVSjRHcUtVU29wX2wzblZTVkpCNFpzR1FTaE05ck1RMDhwUFBwOU5DNkF2ZkVxSk14NzNNcHNSUHVEakRBZXlCdDNVNGtxNmpfYk9OaDBRMUVIa09vdlQyTVlsM2h1eFV1SVlZaTlMSFpwX2Z4YkthTEZiMGVmT3ZlN24yM2lzdklCd3FYQk1KdE9HeTZhZ3h4cEFWWUdtMmNQSlk2SVBnNHJVQ0o3MzJueWI4V2NwMVJXSjNnT3BoRXdXVmpNTHNSN0treENBd2pQLWt3d3c1bmxabDJsRk03VXFKRVBhYi1qUlQ3amlCcl9XZ0IyNHRibFlwMkZ6a3dHVWtqRVN2QzlNbk16a1JrV2ZTTUdvUGE5Wk9Hek1adHF5WXA2d0w4VmVENmdoQmlLQ295RE83X3g0ZUcybDhQb0RMdldjUjJJd3RSZ0lQNFVueXRjRXRIbEVRelJuQnBLOEFlVmUzb2p0UklQU00zZTRUUEdBYXc2eEdpTnNMQ09vMVMzUGdiTUxCSUNWUExtSjl5N2EtcktnRmtsVnNJUFlHVmZsZndweG1PQ2dZMS1KWmVWM0NkM2liQU9ydkhmcEdCS1BQdThfeDlwNVF2UExHNXZRbWoyUngtbmUzVUVPSFh1bXp0OXR3TUgyemo5MEt5U3AwZU0tT3dSV3Y1UmVhYm1TV2o0WlJsZWhqbWc1SDlVcjdXaVdCNFFNdXBNMk1nandVYzU5ZVN5bFFENlZIcnVFNUFYNUdDQkQzbDhidTRYTFJIYWtDem5HMW9ENDBrYnowR3dmOWZjSEhDUWlhSTlNZk8zU2ZQbnJ0RjBnc0p1UkhyLXI5LWsxMHJIREY1emdoX1d0ekp2Q2NzOGtJY0VoVmlLRFBraUxuMWdJX0RDYkhJcjBGQzlLejc1SUF4blhZZnVYZkwySUFBIiwgImlzX3ByaW1hcnkiOiJ0cnVlIiwgImlhdCI6IjE1MzEzOTE2MjEifQ.Gg4EVoJVWmdpOHZOzOkfSibkrh0sYLpnhobh9vtDbeU
Cookie: buid=AQABAAEAAADXzZ3ifr-GRbDT45zNSEFEoFnVsZyiuDhk01_58h3gTuhxkuN4glzV70KOD4qXb3cul77hhZKHSKMCSE9cqbRZg3g4zUtg_rpagH16M-Nu5FB4y5bgt6lMhCIu7-Ki4X0dKeAmsUrlZRq405IXm2RLetetoIpHe0MgEOTC8JwY2eCfdKjf_Bhx0dL_nTimHn4gAA; CCState=Q3VJRENqOTJMWGRoZVhsaGJrQnRhV055YjNOdlpuUXVZMjl0ZkdGd2NEcGpORFJpTkRBNE15MHpZbUl3TFRRNVl6RXRZalEzWkMwNU56UmxOVE5qWW1SbU0yTVNrd013Z2dHUEJna3Foa2lHOXcwQkJ3T2dnZ0dBTUlJQmZBSUJBREdDQVVnd2dnRkVBZ0VBTUN3d0ZURVRNQkVHQTFVRUF4TUtUVk5KVkNCRFFTQmFNZ0lUVmdCUUQyeTQ1d2cwQlZuMkNBQUFBRkFQYkRBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVFDTzlidFlmbkFKL2lSL3Q2VWNSNS9Wd3BTRk1RQzI1cE5iS2ZLMWY2ZGh1c3lpQkxMVkpKQ3BTMUd0RUNUVEl4WVRWUDdFaDVJQnRUVWxkbnNzcU42SDJVSHh5R2FCa1V3TmdzSGVJbnFyNTRmQldWZGZUeFpDOGN2bHNOVlRGODlrQ21SSVZPSFBpcmZ4d3c2RVU0dm9wdTFXUThPWXJOWmZSTXVaM0pYejZlQW9vVUxMVzBUTmF2MUdoMTRZbTFPTVdMQ25RV2JYR2pZWlNSTWpOYlBqYjUyL1E2Q3VJSFJjS1dLSm1xSjVHU0U1Q1JocTFpaWdRUjlyUXQ1RU83QWxEVjFJOTQwVHVDazVTcXExdWg0cnBLMzgvc1dicVA3K29Pd09HekpmVVZtYjZoZFJkTitnNHJFbUtQZVl3eko3QStVNWR2SlVzbG90aURvOVJhKzlNQ3NHQ1NxR1NJYjNEUUVIQVRBVUJnZ3Foa2lHOXcwREJ3UUlsRDhyYm9QMjFUYUFDRUUvU2pRMGlHaHFHZ2tKRjArTnlCTG4xVWdTRWdvUWYrUVFJMXhGaUVXbHh4VmhOOFZQS2hvSkNSZXRYWHNUNTlWSQ==; ESTSAUTHPERSISTENT=AQABAAQAAADXzZ3ifr-GRbDT45zNSEFE1D-i4sTI4bxMS3YG2_xDXp4yTXqZSiUHyY4ul731zw7SXGGIFxbywIo1SPbnI4jt3--AWzXxi_t3TOAUSTHcP7GmFG5M_XmldgDdZwx3po9Gr51ZGKrG8XoWYd26XFqopxJ1h-q7oWvXdN-5T0odxC-f4qwnqOodnM9QS7nU1m-gKtYqZS9PIvMoNw1Eb1Lv4Cb9Rctu6N2q85C1nYaLEbjtnCkAHrTOgCNDM8C-zYIGLOzZ7DR0rFEfnV8o0niSO0oUO-e9t3fXssDHYMaUqhDLTt8hDUR1KqU2lPew5JAAzqh1pTiiDY7IYV7SE5lqH-dNGeavEkwMqde1rtUGJTQPCvimMnNGoDysrW4yXzPmnAQPc8Sn8Glx7mMwbPzntQ8kYB6sTijcbH_no0QyTuiCn0528glk6Z6p1TXLdky0mmCB0AxlVM0Xccm8oqlti5AzMulnsEDUdM7gLi1PgA_uPxJ1UTM-DO0RxUY5-Q6scRf-VSzwQnMlkTWH9PRiesxnSODFvQs-aIojw1tC0ahuX7ZfcvEXQmZG4VOQ04nnqcWje-6510jAK-lx5VtMw3JKTQzydei_mXydArKXlKmBYD-GgN2iCfKcm6Sx22jFFSM34979ZtTY0xcBtpxbrtvt_o4LkwxJqKhC_cb9vALt3YguankBPShoBSzBPq6_sfyb8nxGdOPv7bTcZ9h1RFt0fXcMvuhwfdnbjfL6HnNYMajoOOmk3cRlyE4gPmkFOSotod4467QrCms-NcOIrQenzv6xwUx3SPlyCoPuTyifP0PdMZk7aASltHP5PkFQKXm5ebZviQ_mThAYdAHmCdDnX3faBWaNZmgKCNodrOOwxQA_VNGUoniXLOnX4oQgACAAQAAQAgAA; x-ms-cpim-csrf=RUF6Zk1MMFBHcVQxeHlNV2x0K2dnN21SVy9aMlN3M1R1WmxSOWdOUXhFTitDaGxOTFJoVGgwWFNLT0lKZ2JCcHdETFR1aUxtNFVDMmp0R2NkOE1RNXc9PTsyMDE4LTA3LTEyVDEwOjMzOjMyLjMyNjM0MTJaOy9IY3JiQmxESUhEcEQ4SWd1SXp6Q1E9PTt7Ik9yY2hlc3RyYXRpb25TdGVwIjoxfQ==; x-ms-cpim-cache:wvcyvhvvd0q92cjc_6_h2g_0=m1.S3dACHsvLvIU9jhT.XNaZIn7mQAXBmNMOG0OeZw==.0.qqrYwNxX97Mf7xsSucScE/lnsINSDQQEECciCSWF7lWoCSaJE4jE3k8gamxe27Y2LDYWRgAUQpLIwaq7Sy4bzHmpz6RW/6Eb0A+2EGYcOzEaCFdnyLgaYAAHJYSgFIi07woKxFS8XlaRNBPFhiN/oa9Cpx5FlKflK0zFI5kFlcCzs4ezScCoAGF37FqMhgF7bzMvEVlat7nFioDK5PujkHHasjBUx5GzIHcs/N+TKCGF2Q1laAXaQIqXRmAtsoW+c1W1jU2RgGOcEQumixZgr1V00CYan/Gl2CZrKcIzyieb0ZbLxInF4SKSzy2o4IGbAPD175IFRCvFVNx87OB3mi0BG7dRmJqVFIM/No+QhAg1Bn3rWc279ggANB5W2WqPBum4UCnbwGGdUncuaiMvzYzNGBEehbDhA2HMGyNSSB+/pyGlFQfrfAB1u6FMYaLRYrjistDBAtnDuc0vwbCru4UTZpL2tSsaZ9G3C1hRNEcyr3KPVdwbp4LWKCec7RXY0CMq+eDO0TDZytaZODlN; x-ms-cpim-trans=eyJUX0RJQyI6W3siSSI6IjU2MzI1NzU5LWVmMWItNGE3Ny1iZGQ5LWM4ZGNmZmFmZTFkYSIsIlQiOiJ5YW5nc2Eub25taWNyb3NvZnQuY29tIiwiUCI6IkIyQ18xQV9zaWdudXBfc2lnbmluIiwiQyI6ImNlYzdlYzY0LTBhMjgtNDkxNC1hYjFhLThmOTUxZmQyN2IxZCIsIlMiOjEsIk0iOnt9LCJEIjowfV0sIkNfSUQiOiI1NjMyNTc1OS1lZjFiLTRhNzctYmRkOS1jOGRjZmZhZmUxZGEifQ==; x-ms-gateway-slice=001-000; stsservicecookie=cpim_te

request_type=RESPONSE&signInName=547541640%40qq.com&password=Password**

Response:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/json; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
Set-Cookie: x-ms-cpim-cache:wvcyvhvvd0q92cjc_6_h2g_0=m1.9B2iQNUwazd7FQjw.OrYhfYGEvwJJcMYqrEutbg==.0.l5lu5FOyolu+69ukoegFq67IOmYbXgaWseDNzRfZ5twroAiil6LBDW95AdlAFxN7fOAry+gJtt8222nEpoR0n1S1QjABJoV1GlPZVyMDzUqWZLZeaEnPjDQjP2cSQ4sgQLyD/9IKwCaf9CUKdSIb7kiCCJGzw6/gYy5mywIo8kQJJrjZNCFMWEnZSb121TvRPpq7OZvI7ssYdxm2UDX6JYl9/37PxBvTQljKt5xKvgm0a56GSxHiUseOJnhsXKr4hUQseN5RSfaBe1egdStqzgyjcaQQKX6ZSIdZoE1lx1PUyagIARPL+tVtvf3093pqjbp9O0tEYM6udP5vp64HR/KOorzXBjnZPiCVxU0Oybp8UAyXbRkv8MsrWRE8bzKCqwxswN+sj+h+JyBv/0+6v7/7UIqokxS++91ddik5rwtYYugGM++OJ+TBugg9jWtHbSsivpaDGctslmo52yJydP2Is6rwazTkg3+vOUrZUr+BUXnvWWt8pqejBUKziRsrafXE5xgjARtvxLs1lb4DjiRUoXN1Wpel; domain=login.microsoftonline.com; path=/; secure; HttpOnly
Set-Cookie: x-ms-cpim-trans=eyJUX0RJQyI6W3siSSI6IjU2MzI1NzU5LWVmMWItNGE3Ny1iZGQ5LWM4ZGNmZmFmZTFkYSIsIlQiOiJ5YW5nc2Eub25taWNyb3NvZnQuY29tIiwiUCI6IkIyQ18xQV9zaWdudXBfc2lnbmluIiwiQyI6ImNlYzdlYzY0LTBhMjgtNDkxNC1hYjFhLThmOTUxZmQyN2IxZCIsIlMiOjIsIk0iOnt9LCJEIjowfV0sIkNfSUQiOiI1NjMyNTc1OS1lZjFiLTRhNzctYmRkOS1jOGRjZmZhZmUxZGEifQ==; domain=login.microsoftonline.com; path=/; secure; HttpOnly
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: x-ms-gateway-slice=001-000; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=cpim_te; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Thu, 12 Jul 2018 10:33:42 GMT
Content-Length: 58

{"status":"400","message":"Invalid username or password."}

How to resolve this issue ? Is there anything I missed?

Additional: I can sign in with the bulit-in policy with both local and soical accounts. Also, I can sign up a new local account with custom policy but cannot sign in next time.

If there is any information needed, I can provide it later. Thanks in advance!

UPDATE1:

Here is my custom policies I used in this issue :https://github.com/WayneYangsa/Azure-AD-B2C-cutompolicy

UPDATE2:

I tested following different ways:

  • Use a wrong username to signin , the page will throw:We can't seem to find your account.

  • Use a right username but wrong password to signin,the page will throw:Your password is incorrect.

  • Use a right username and a right password to signin,the page will throw:Invalid username or password.

It's really weird. Becuase I even didn't have Invalid username or passwordmatedata Item in my TrustFrameworkBase.xml.

Here is the Matadata:

          <Metadata>
            <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
            <Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
            <Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>

            <Item Key="ProviderName">https://sts.windows.net/</Item>
            <Item Key="METADATA">https://login.microsoftonline.com/yangsa.onmicrosoft.com/.well-known/openid-configuration</Item>
            <Item Key="authorization_endpoint">https://login.microsoftonline.com/yangsa.onmicrosoft.com/oauth2/token</Item>
            <Item Key="response_types">id_token</Item>
            <Item Key="response_mode">query</Item>
            <Item Key="scope">email openid</Item>

            <!-- Policy Engine Clients -->
            <Item Key="UsePolicyInRedirectUri">false</Item>
            <Item Key="HttpBinding">POST</Item>
          </Metadata>
Wayne Yang
  • 9,016
  • 2
  • 20
  • 40
  • 4
    Most of the times you will get this issue when you forgot or wrongly placed App IDs in your extension policy. Can you confirm you added Identity Experience Framework applications and their IDs in extensions file? https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom#register-identity-experience-framework-applications – Ramakrishna Jul 12 '18 at 10:52
  • @Ramakrishna ,I did check the client_id and resouce_id. I will upload my policies to GitHub and post a link in my question later. – Wayne Yang Jul 12 '18 at 11:25
  • Yang, Please share. – Ramakrishna Jul 12 '18 at 11:49
  • Hi@Ramakrishna , I had updated my question, please check it.:-) – Wayne Yang Jul 12 '18 at 12:47
  • how are you testing this? The first request indicates a referrer with `redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob` - so native app. Can't create a web app/api registration and register redirect uri `http://localhost` for testing? Also, if you [enable Application Insights](https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom) you will get quite a lot of useful information. – astaykov Jul 12 '18 at 15:14
  • @astaykov Yeah,the client is a Native app.But it doesn’t matter. Using Application insights to troubleshoot is a great idea! I will try it and update my question if I have get any useful details. Thanks astaykov – Wayne Yang Jul 12 '18 at 15:25
  • 2
    well, it matters as it is much easier to debug web app ;) where you have full web redirects. And also, you are testing with app registrations created within B2C, correct? Can it be that you test with an app registered within "Application registration" part of the AAD B2C and not within B2C part? This behavior your describe is really strange, but I have seen it once. And believe the issue was I was testing with the wrong app registration. – astaykov Jul 12 '18 at 15:50
  • @astaykov Really appreciate your help.The apps I tested are in B2C app,not Application registration. Also,when I run the signin or signup policy,it should let the local account sign in. I will post more details later. – Wayne Yang Jul 12 '18 at 15:55
  • 1
    @WayneYang-MSFT, I am able to repro your issue. But it is really wired why with only your policies. Can you please download new policies from GitHub and upload against your tenant and see. (Please use notepad (default windows app) to edit instead using any other tools, those tools have a chance to insert special hidden characters in the policy files). I tried integrating your modifications in the policies and uploaded against my tenant, those are working fine. Please try downloading new policies from GitHub and run. – Ramakrishna Jul 12 '18 at 16:46
  • Hi @Ramakrishna , Particular thanks ! I will re-download policies and use note pad to edit. Also, I used Notepad++ to edit the `.xml` file. – Wayne Yang Jul 13 '18 at 02:45
  • Hi @Ramakrishna , I did re-download and re-edit the policies files. But still failed with same error. I'v updated my question. – Wayne Yang Jul 13 '18 at 06:14
  • Hi @astaykov. I tried to use Application insights to analytics. But I cannot see the useful details in it. It seems that it's not caused by AAD, maybe it caused by the policy itself. – Wayne Yang Jul 13 '18 at 06:16
  • can you upload the new policies. I'd like to see a diff - what have you changed from the original ones. – astaykov Jul 13 '18 at 06:30
  • I deleted old policies and I did upload new policies. But I got same error result. I change the `TenantId`,`PublicpolicyUri`,`TenantObjectId`,`client_id`,`IdTokenAudience`and DefaultValues of `client_id` and `resource_id` – Wayne Yang Jul 13 '18 at 06:42
  • I also changed `{tenant}`the metadata to `yangsa.onmicrosoft.com`. – Wayne Yang Jul 13 '18 at 07:00

1 Answers1

5

@WayneYang able to resolve issue :-)

Most common mistakes leading to this issue are

  • Creating IdentityExperienceFramework and ProxyIdentityExperienceFramework apps under B2C blade instead of Creating under Azure Active Directory blade (check step 2 in the doc)
  • Missing 11th step from the doc
  • Interchanging AppIds while placing inside extension policy for ProxyIEF and IEF Apps.
Ramakrishna
  • 4,928
  • 3
  • 20
  • 24
  • 2
    Yeah, I created both applications in B2C, not AAD Application registration. This is the root cause. I recreate apps in the application registration in AAD, it works like a charm now! Thanks again! – Wayne Yang Jul 13 '18 at 08:10
  • 2
    The document says to create the apps in B2C tenant. Maybe because it's been updated during the past 2 years? I'm getting a similar error and went to recheck the doc after seeing this answer, but it doesn't match what the doc says. – Luis Octavio Lomeli Navarrete Sep 09 '20 at 05:55
  • 1
    I'm getting the same thing and the docs now say to register under B2C. @LuisOctavioLomeliNavarrete did you resolve? – jle Feb 11 '21 at 17:18
  • Yep, I registered both under the B2C tenant. Did you put both clientIds on the policy XMLs? I think that's what happened to me, I was uploading the policies with the placeholder values for those. – Luis Octavio Lomeli Navarrete Feb 19 '21 at 07:13
  • 1
    In my case it was a wrong audience in IdentityExperienceFramework. The correct audience in IdentityExperienceFramework is "AzureADMyOrg " in manifest . Please, check that you selected "Accounts in this organizational directory only" under Supported account step. – Oleksandr Galperin Jan 16 '22 at 00:49