Device Configuration Failure Using SOTI Identity with Microsoft Entra ID Connection
Publish Date: 13-Mar-2025
Last Modified Date: 16-May-2025
SOTI Identity
1323
0
Summary
When SOTI Identity is configured with Microsoft Entra ID and utilized in conjunction with SOTI MobiControl for device configurations, setups, enrollments, and shared devices, failures are observed.
Related SOTI ONE Platform Products
SOTI Identity;SOTI MobiControl
Issue Description
- When configuring SOTI Identity for enrollment authentication on the SOTI MobiControl console and having Azure AD configured as third part IDP on SOTI Identity, the enrollment is failing with the below error:
- Similarly, suppose the setup is used for shared device configuration. In that case, the login process for the shared device fails with an error message when the user tries to access the login page from the agent instead of a successful authentication.
Environment
SOTI Identity 2025.0.0.
Symptoms
When trying to enroll a device or to login into a shared device, instead of the successful completion of the authentication process, the user is presented with errors such as follows:
The following exceptions can be observed in the Management Service log when the issue is present:
[2024-10-23 10:16:13.742] ERROR [General] [f68ae344-5f9c-4a4a-aadd-cac8534f****] (6): ******************************************************
* Exception: MC IdP Host: Unhandled exception caught *
******************************************************
[IOException: ]
at Microsoft.Owin.Host.HttpListener.RequestProcessing.ExceptionFilterStream.<WriteAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Soti.Owin.Compression.Middleware.CompressionPipeline.Strategies.PassThroughCompressionStrategy.<Compress>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Soti.Owin.Compression.Middleware.CompressionMiddleware.<Invoke>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Soti.MobiControl.WebApi.Foundation.Hosting.OwinMiddlewares.StrictTransportHeaderMiddleware.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Soti.MobiControl.ExternalAuthentication.Host.GlobalExceptionMiddleware.<Invoke>d__2.MoveNext() {
[HttpListenerException: The I/O operation has been aborted because of either a thread exit or an application request]
at System.Net.HttpResponseStream.EndWrite(IAsyncResult asyncResult)
at System.IO.Stream.<>c.<BeginEndWriteAsync>b__53_1(Stream stream, IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncTrimPromise`1.Complete(TInstance thisRef, Func`3 endMethod, IAsyncResult asyncResult, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.HttpListener.RequestProcessing.ExceptionFilterStream.<WriteAsync>d__6.MoveNext()
}****************************************************** [2024-10-11 16:21:11.925] INFO [AccessControl] [7d8c0410-7d50-4369-aa91-378********] (243): MobiControl access denied. User "sample.onmicrosoft.com\test.user@soti.net" belongs to the following groups that has "deny access" to web console: "SOTI_USERS"
[2024-10-11 16:21:11.925] ERROR [General] [7d8c0410-7d50-4369-aa91-378*******] (243): *************************************************************************
* Exception: Authorization Server Host: Authorization with token failed *
*************************************************************************
[SecurityException: You do not have permissions to access this page.]
at Soti.MobiControl.ManagementService.AuthorizationService.PermissionCheckFailed(IUser user, ISessionState session, AccessRights userRights)
at Soti.MobiControl.ManagementService.AuthorizationService.CheckUserPermission(IUser user, String source)
at Soti.MobiControl.ManagementService.AuthorizationService.InitialExternalUserSession(AuthorizationData ssoToken)
at Soti.MobiControl.ManagementService.Security.SSO.SsoAuthorizationService.Authorize(AuthorizationData token)
at Soti.MobiControl.ManagementService.Security.AuthorizationManager.AuthorizeWithToken(String token, String source)
at Soti.MobiControl.Security.AuthorizationServer.SSO.SsoAuthenticationHandler.AuthenticateCoreAsync()*************************************************************************
Cause
The issue is happening because of the redirects.
Upon successful post authentication from Entra ID, the redirect should have been to device logon, however, in this case, the redirect is happening to web console.
Since these accounts do not have access to the web console and are only created for device-side authentication, they are presented with errors and failed logon.
This causes a disruption to the enrollment or shared device login process.
Issue Resolution
The issue will be fixed with the release of SOTI Identity 2025.1.0.
Workarounds
The configuration can bypass access to SOTI Identity to work around this issue.
This means changing the setup to directly configure Entra ID with SOTI MobiControl to handle the enrollment and shared device authentication.
Was this helpful?
Thanks for your feedback