SignIn with AzuredAD, via ISS reverse proxy

Grafana Authentication
1

Hello,

I am stuck at a problem for a few day now. We are trying to connect Grafana to Azure, for 2FA. When I tried with local host, the authentication worked, but when we tried ti with reverse proxy, we get this error: AADSTS50011: The redirect URI 'http://****/login/azuread’ specified in the request does not match the redirect URIs configured for the application ‘92209b1b-8ef9-4a8d-bec4-3bea98b0089a’. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.

For reverse proxy we are using Microsoft ISS. We are using Grafana v11.1, that is instaled localy (on the same server as ISS), and is running as a Microsoft service.

The ISS is configured the same as in this Git issue:

The configuration in Grafana looks like this:

[server]

Protocol (http, https, h2, socket)

protocol = http

Minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.2, TLS1.3. If nothing is set TLS1.2 would be taken

min_tls_version = “”

The ip address to bind to, empty will bind to all interfaces

http_addr =

The http port to use

http_port = 3000

The public facing domain name used to access grafana from a browser

domain = ourdomain

Redirect to correct domain if host header does not match domain

Prevents DNS rebinding attacks

enforce_domain = false

The full public facing url

root_url = %(protocol)s://%(domain)s:%(http_port)s/

Serve Grafana from subpath specified in root_url setting. By default it is set to false for compatibility reasons.

serve_from_sub_path = false

[auth.azuread]

name = “Azure AD”

icon = “microsoft”

enabled = false

allow_sign_up = true

auto_login = false

client_id = “clientid”

client_secret = “clientsecret”

scopes = openid email profile

auth_url = “https://login.microsoftonline.com/ clientid /oauth2/v2.0/authorize”

token_url = “https://login.microsoftonline.com/ clientid /oauth2/v2.0/token”

allowed_domains =

allowed_groups =

allowed_organizations =

role_attribute_strict = false

allow_assign_grafana_admin = false

force_use_graph_api = false

tls_skip_verify_insecure = false

tls_client_cert =

tls_client_key =

tls_client_ca =

use_pkce = true

skip_org_role_sync = false

use_refresh_token = true

In azure we have added all the redirect URIs:

AzureAd redirect URIs
AzureAd redirect URIs1405×405 32.9 KB

When we try to sign in with Azure, we get the prompt for Username/Pssword, and then it reroutes us back to Grafana, were we get this error:

AADSTS50011: The redirect URI 'http://****/login/azuread’ specified in the request does not match the redirect URIs configured for the application ‘92209b1b-8ef9-4a8d-bec4-3bea98b0089a’. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.

This redirect URI is part of the header payload, and we cant figure out how to change it to the https address.

Screenshot 2024-07-24 104952
Screenshot 2024-07-24 1049521919×960 117 KB

We tried createing custom inbound/outbond rules in iss, but to no avail, we tried to directly set the root_url in the Grafana configuratio, to enforce the domain, tried to use the generic authentication configuration, instead of the Azure authentication… but nothing worked.

Does anybody have any ideas?