This post was most recently updated on September 3rd, 2020.Reading Time: 3 minutes.
So, you got an error with a code AADSTS50011? It’s just Azure AD’s authentication acting up because of invalid reply address! here’s a bunch of different reasons that lead to this error. This post describes the variant where the URL’s case sensitivity differns from what’s configured. For me, the most typical scenario where I run into this error is accessing the app from SharePoint.
In short: When trying to run code that tries to authenticate against AAD (like a SharePoint Online webpart or a Teams tab), you’re getting an error somewhat like this:
AADSTS50011: The reply address <...> does not match the reply addresses configured for the application: '<guid>'. More details: Reply address did not match because of case sensitivity.
This is another variation of the good old “AADSTS50011: The reply address does not match the reply addresses configured“-error.
I recently encountered this version of the error. Normally, you don’t get any extra details – the “More details:” -section will just say “not available” or some such. But I guess a lot of people have been struggling with the case-sensitivity of the URLs (I wonder who thought that was a good idea?), and Microsoft has opted to provide this, slightly improved version of the classical reply-url error.
For once, the error message actually tells you exactly what’s wrong.
Probably your URL has “<site>/Pages/default.aspx” in it, but you entered it as “<site>/pages/default.aspx” in the configuration. Simple as that.
SharePoint normally handles redirection between differently capitalized versions of the URL, and you should only need to use one version of the URL. However, that doesn’t really always work like it should, and you don’t always have just one version of the URL. That means, that you’ll just have to make sure your links always point to whatever address SharePoint actually resolves as the default – so make sure to either use only the web’s address (e.g. use the URL without library and page names), or use the address SharePoint returns to you by default. Or you can use both – you just can’t use multiple different capitalizations, for some reason!
The solution is 50% obvious, but 50% gotcha.
(Please note: this article was originally written for Azure Active Directory app registrations 2.0 endpoint - while the principle is still valid, the steps below might not be 100% correct)
If you think it’s easily done – and you can just change the case in the reply address from “/Pages/default.aspx” to “/pages/default.aspx” and be done with it, you’re only half correct. Whereas the checking for reply addresses in the authentication is case-sensitive, saving the urls is not. If you just fix the url and save, it’ll look like it saved but it didn’t actually change the reply address. It still won’t work.
So, this is what you’ll need to do instead:
- Remove the offending value in the reply-url configuration
- Save the changes (click the button at the bottom of the page)
- Scroll back to the reply-urls, add a new one, this time with correct casing
- Save again – and after this, it should work!
Funny, eh? I know, it’s kind of ridiculous. But that’s the gotcha for you!
- Pulumi task on Azure DevOps fails with error “azureblob.OpenBucket: accountName is required” - November 24, 2020
- Hacktoberfest 2020 - November 17, 2020
- How to access the site collection app catalog in SharePoint? - November 11, 2020