I have a legacy ASP.NET 4.8 MVC application which is being migrated to use Azure AD Authentication using the Microsoft.Owin framework. The application configuration works fine on my local machine. However, I encounter issues when running it on the production server.

Production environment proxy Setup: The application is hosted on an IIS server behind a proxy. SSL is terminated at the proxy, and HTTP requests are forwarded to the IIS server.

When I browse protected pages on the production server, I am correctly redirected to the login.microsoftonline.com login page and can log in successfully. However, after logging in, the .AspNet.Cookies authentication cookie is not set on the production server, resulting in a redirect loop between the application and the Azure AD /authorize endpoint.

I am assuming there is a problem issuing “.AspNet.Cookies” cookie as I don’t see that in my browser. How can this be confirmed? or traced?

This is how it is configured in startup.cs class. I have followed some online article to implement this & working fine on my local.

public void Configuration(IAppBuilder app)
{
    // Configure Auth0 parameters
    string auth0Domain = ConfigurationManager.AppSettings["auth0:Domain"];
    string auth0ClientId = ConfigurationManager.AppSettings["auth0:ClientId"];
    string auth0RedirectUri = ConfigurationManager.AppSettings["auth0:RedirectUri"];
    string auth0PostLogoutRedirectUri = ConfigurationManager.AppSettings["auth0:PostLogoutRedirectUri"];

    // Set Cookies as default authentication type
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        LoginPath = new PathString("/Account/Login"),
        CookieSameSite = Microsoft.Owin.SameSiteMode.None,
        // More information on why the CookieManager needs to be set can be found here: 
        // https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
        CookieManager = new SameSiteCookieManager(new SystemWebCookieManager())
    });


    // Configure Auth0 authentication
    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        AuthenticationType = "Auth0",

        Authority = auth0Domain,

        ClientId = auth0ClientId,

        RedirectUri = auth0RedirectUri,
        PostLogoutRedirectUri = auth0PostLogoutRedirectUri,
        ResponseType = OpenIdConnectResponseType.CodeIdToken,
        Scope = "openid profile email",

        SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,

        TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = "name"
        },

        // More information on why the CookieManager needs to be set can be found here: 
        // https://docs.microsoft.com/en-us/aspnet/samesite/owin-samesite
        CookieManager = new SameSiteCookieManager(new SystemWebCookieManager()),

        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthorizationCodeReceived = async n =>
            {
                var client = new HttpClient();
                var tokenResponse = await client.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
                {
                    Code = n.Code,
                    Address = "https://login.microsoftonline.com/2d55c52b-2865-45c0-b174-fef7eed8e331/oauth2/v2.0/token",
                    ClientId = auth0ClientId,
                    ClientSecret = "WLT8Q~KKe2S5k~XrzUsz-XJUiRPdgaiBAx1uYcnr",
                    RedirectUri = auth0RedirectUri,
                });

                if (tokenResponse.IsError)
                    throw new Exception(tokenResponse.Error);

                var response = await client.GetUserInfoAsync(new UserInfoRequest
                {
                    Token = tokenResponse.AccessToken,
                    Address = "https://graph.microsoft.com/oidc/userinfo",
                });

                if (response.IsError)
                    throw new Exception(response.Error);

                n.AuthenticationTicket.Identity.AddClaims(response.Claims);
            },
            RedirectToIdentityProvider = notification =>
            {
                if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                {

                }
                if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
                {
                    var logoutUri = $"https://{auth0Domain}/v2/logout?client_id={auth0ClientId}";

                    var postLogoutUri = notification.ProtocolMessage.PostLogoutRedirectUri;
                    if (!string.IsNullOrEmpty(postLogoutUri))
                    {
                        if (postLogoutUri.StartsWith("/"))
                        {
                            // transform to absolute
                            var request = notification.Request;
                            postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                        }
                        logoutUri += $"&returnTo={Uri.EscapeDataString(postLogoutUri)}";
                    }

                    notification.Response.Redirect(logoutUri);
                    notification.HandleResponse();
                }
                return Task.FromResult(0);
            }
        }
    });
}

How can I ensure the .AspNet.Cookies cookie is set correctly on the production server?

Are there additional configurations needed to handle SSL termination at the proxy?