Resolving incidents - Common errors

Checking the consistency of the firewall and Microsoft Entra ID tenant configurations

Go to Configuration > System > CLI console and type the following command:
CONFIG AUTH OIDC CHECK DomainName=<Microsoft_EntraID_domain_name>.

The URL of the Microsoft Entra ID service (Issuer ID) in the firewall configuration is incorrect

One of the following messages appears:

type=warning code=1 domain="<domain name>" token="IssuerID" msg="Error when trying to get OIDC Provider Metadata document"
type=warning code=1 domain="<domain name>" token="IssuerID" msg="Error when trying to get OIDC Provider Metadata document (timeout)" value0="timeout"
type=warning code=1 domain="<domain name>" token="IssuerID" msg="Error when trying to get OIDC Provider Metadata document (invalid peer certificate)" value0="invalid peer certificate"

The application ID (client) in the firewall configuration is incorrect

The following message appears:

type=warning code=2 domain="<domain name>" token="ClientID" msg="Error with ClientID when testing connection to SNS OpenID application : <OpenID Provider error code>/<OpenID Provider error message>" value0=<OpenID Provider error code> value1=<OpenID Provider error message>

The client secret in the firewall configuration is incorrect

The following message appears:

type=warning code=3 domain="<domain name>" token="ClientSecret" msg="Error with ClientSecret when testing connection to SNS OpenID application : <OpenID Provider error code>/<OpenID Provider error message>" value0=<OpenID Provider error code> value1=<OpenID Provider error message>

The Users log file (Monitoring > Logs - Audit logs) also contains a line resembling:

id=firewall time="2025-01-09 19:59:53" fw="documentation-firewall.stormshield.eu" tz=+0100 startime="2025-01-09 19:59:53" user="unknown" src=10.100.17.85 domain="mycompanyinternal.onmicrosoft.com" confid=0 ruleid=0 method="OIDC" totp="no" error=5 msg="error to get token response"

A redirect URI is invalid or was not declared in the Microsoft Entra ID tenant application

The following message appears:

type=info code=4 domain="<domain name in section>" msg="Error with redirect_uri <redirect_uri> when testing connection to SNS OpenID application" value0=<redirect_uri>

None of the redirect URIs are valid or have been declared in the Microsoft Entra ID tenant application

The following message appears:

type=warning code=5 domain="<domain name>" msg="Error : No working redirect_uri"

Other cases

The following generic message appears:

type=warning code=6 domain="<domain name>" msg="Error when testing connection to SNS OpenID application : <OpenID Provider error code>/<OpenID Provider error message>" value0=<OpenID Provider error code> value1=<OpenID Provider error message>

Other common errors

The configured time or time zone on the firewall is incorrect

This error causes a log line to be written in Monitoring > Logs - Audit logs > Users with the following message:

"ID Token with an invalid 'exp' claim"

The <preferred_username> claim is missing from the Microsoft Entra ID tenant configuration

This error causes a visible log line to be written in Monitoring > Logs - Audit logs > Users with the following message:

ID Token with an invalid or missing 'preferred_username' claim

The Microsoft Entra ID servers cannot be reached

This error causes a visible log line to be written in Monitoring > Logs - Audit logs > Users with the following message:

Error while retrieving the OIDC Provider Metadata document

A group received by the identity provider (Microsoft Entra ID) was not declared on the firewall

This error causes a visible log line such as the following to be written in Monitoring > Logs - Audit logs > System events:

Attempt to authenticate with the following undeclared GUIDs: GUID="<GUID_reference>"