Authentication

Excel Addin has logged in, but is not allowed to interact with server

The Excel Addin has logged in to the Solution Platform but is not allowed to interact with it. Meaning every action (e.g. submit job) results in a not authenticated error.

Looking into the service.log of the service ‘authentication’ reveals a log entry like followed:

ERROR|IdentityServer4.Validation.TokenValidator|JWT token validation error: IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at IdentityServer4.Validation.TokenValidator.<ValidateJwtAsync>d__14.MoveNext()

Usually the problem appears, if the DNS name of the server is not the same as the FQDN.

For example: The dns name of the server is grid.enexsa.com. The user would connect via Excel Addin with the address https://grid.enexsa.com. But the server name is a internal name like s00xx.enexsa.com.

Solution

1. The cluster agent’s cluster base uri should be configured as https://grid.enexsa.com.

2. The service.config of the service coordinator has to be altered. Update the properties authentication/identityServer/authority, authentication/identityServer/issuer and provider/credential/uri and set the DNS name of the server. Leave the rest as is:

   authentication {
               identityServer {
                       authority = @"https://grid.enexsa.com/authentication/"
                       issuer = @"https://grid.enexsa.com/authentication/"
               }
       }
       provider {
               credential {
                       uri = @"https://grid.enexsa.com/authentication"
               }
       }
   

3. Restart the cluster agent if the cluster base uri has been changed otherwise restart the service coordinator only.