So, you got an error with a code AADSTS50011? It’s just Azure AD’s authentication acting up because of invalid reply address! here’s a bunch of different reasons that lead to this error. This post describes the variant where the URL’s case sensitivity differns from what’s configured. For me, the most typical scenario where I run into this error is accessing the app from SharePoint.
So, you’re getting an error somewhat like this:
AADSTS50011: The reply address <...> does not match the reply addresses configured for the application: '<guid>'. More details: Reply address did not match because of case sensitivity.
This is another variation of the good old “AADSTS50011: The reply address does not match the reply addresses configured“-error.
I recently encountered this new version of the error. Normally, you don’t get any extra details – the “More details:” -section will just say “not available” or some such. But I guess a lot of people have been struggling with the case-sensitivity of the URLs (I wonder who thought that was a good idea?), and Microsoft has opted to provide this, slightly improved version of the classical reply-url error.
For once, the error message actually tells you exactly what’s wrong.
Probably your URL has “<site>/Pages/default.aspx” in it, but you entered it as “<site>/pages/default.aspx” in the configuration. Simple as that.
SharePoint normally handles redirection between differently capitalized versions of the URL, and you should only need to use one version of the URL. However, that doesn’t really always work like it should, and you don’t always have just one version of the URL. That means, that you’ll just have to make sure your links always point to whatever address SharePoint actually resolves as the default – so make sure to either use only the web’s address (e.g. use the URL without library and page names), or use the address SharePoint returns to you by default. Or you can use both – you just can’t use multiple different capitalizations, for some reason!
The solution is 50% obvious, but 50% gotcha.
If you think it’s easily done – and you can just change the case in the reply address from “/Pages/default.aspx” to “/pages/default.aspx” and be done with it, you’re only half correct. Whereas the checking for reply addresses in the authentication is case-sensitive, saving the urls is not. If you just fix the url and save, it’ll look like it saved but it didn’t actually change the reply address. It still won’t work.
So, this is what you’ll need to do instead:
- Remove the offending value in the reply-url configuration
- Save the changes (click the button at the bottom of the page)
- Scroll back to the reply-urls, add a new one, this time with correct casing
- Save again – and after this, it should work!
Funny, eh? I know, it’s kind of ridiculous. But that’s the gotcha for you!
Latest posts by Antti K. Koskela (see all)
- Thanks for coming to my session at SPS New England 10/20 ! - October 20, 2018
- Speaking at SPS New England on 10/20! - October 17, 2018
- Ignite 2018 recap: What’s new for Azure Functions? - October 16, 2018
- Problematic behavior of web.AddSupportedUILanguage(int lcid) in SharePoint 2013 and 2016 - October 10, 2018