AKS – Authentication issues real-time container logging solution

UPDATE 15.08.2019:

The issue described here in my blog post has been resolved in the Azure docs with the following pull request.

-> https://github.com/MicrosoftDocs/azure-docs/pull/37045


Back in June Microsoft announced an URL change affecting the Azure Monitor for containers real-time container logging solution.

-> https://azure.microsoft.com/en-us/updates/azure-monitor-for-containers-updates-to-live-data-settings/
-> https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-live-logs#configure-aks-with-azure-active-directory

The URL that needs to be added in the AAD client application as Redirect URI is https://afd.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html.

During some tests on my AKS cluster at the weekend I stumbled over the following issue.

I received the error message AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '{Application ID}' and I could not sign into the real-time container logging solution.

After some debugging, I found out that the expected URL is https://monitoring.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html.

So, the URL in the request https://monitoring.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html does not match what is documented in Azure docs and configured in the AAD client application.

The current fix for the issue is to add the URL as a Redirect URI in the AAD client application.

Immediately after adding the correct URL, the sign-in is working again.

Only Azure Kubernetes Service cluster with enabled AAD integration are affected.

The discussion about the issue is ongoing in the closed GitHub issue.

-> https://github.com/MicrosoftDocs/azure-docs/issues/33129#issuecomment-520256708

Facebooktwitterlinkedinmail