This post was most recently updated on June 26th, 2019.Reading Time: 3 minutes.
So, you got an error with a code AADSTS50011? It’s just Azure AD’s authentication acting up because of invalid reply address! here’s a bunch of different reasons that lead to this error. This post describes the variant where the URL’s case sensitivity differns from what’s configured. For me, the most typical scenario where I run into this error is accessing the app from SharePoint.
So, you’re getting an error somewhat like this:
AADSTS50011: The reply address <...> does not match the reply addresses configured for the application: '<guid>'. More details: Reply address did not match because of case sensitivity.
This is another variation of the good old “AADSTS50011: The reply address does not match the reply addresses configured“-error.
I recently encountered this version of the error. Normally, you don’t get any extra details – the “More details:” -section will just say “not available” or some such. But I guess a lot of people have been struggling with the case-sensitivity of the URLs (I wonder who thought that was a good idea?), and Microsoft has opted to provide this, slightly improved version of the classical reply-url error.
For once, the error message actually tells you exactly what’s wrong.
Probably your URL has “<site>/Pages/default.aspx” in it, but you entered it as “<site>/pages/default.aspx” in the configuration. Simple as that.
SharePoint normally handles redirection between differently capitalized versions of the URL, and you should only need to use one version of the URL. However, that doesn’t really always work like it should, and you don’t always have just one version of the URL. That means, that you’ll just have to make sure your links always point to whatever address SharePoint actually resolves as the default – so make sure to either use only the web’s address (e.g. use the URL without library and page names), or use the address SharePoint returns to you by default. Or you can use both – you just can’t use multiple different capitalizations, for some reason!
The solution is 50% obvious, but 50% gotcha.
(Please note: this article was originally written for Azure Active Directory app registrations 2.0 endpoint - while the principle is still valid, the steps below might not be 100% correct)
If you think it’s easily done – and you can just change the case in the reply address from “/Pages/default.aspx” to “/pages/default.aspx” and be done with it, you’re only half correct. Whereas the checking for reply addresses in the authentication is case-sensitive, saving the urls is not. If you just fix the url and save, it’ll look like it saved but it didn’t actually change the reply address. It still won’t work.
So, this is what you’ll need to do instead:
- Remove the offending value in the reply-url configuration
- Save the changes (click the button at the bottom of the page)
- Scroll back to the reply-urls, add a new one, this time with correct casing
- Save again – and after this, it should work!
Funny, eh? I know, it’s kind of ridiculous. But that’s the gotcha for you!
- How to resolve “Microsoft.Data.SqlClient.SqlException (0x80131904): Cannot insert explicit value for identity column in table when IDENTITY_INSERT is set to OFF” - June 30, 2020
- How to resolve persistent “Build started… Build failed.” when trying to run Entity Framework Core commands? - June 24, 2020
- SharePoint Home Sites – a Game Changer? - June 16, 2020