Value cannot be null. Parameter name: userName - after switching to Azure AD authentication

Vote:
 

Hello,

We are switching our CMS project from MultiplexingMembershipProvider (Windows and SQL) to OpenId Connect (Azure AD) using documentation provided at: https://world.episerver.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/

Authentication is working but when I attempt to access editor (or admin) interface, I get an ArgumentNullException.

Value cannot be null.
Parameter name: userName

EPiServer.Shell.Profile.ProfileRepository.GetOrCreateProfile(String userName)

I have pasted the relevant area of web.config, a list of the claims I'm getting, my packages, and the details of the exception below. Any assistance would be greatly appreciated.

<authentication mode="None" />
<membership>
<providers>
<clear />
</providers>
</membership>
<roleManager enabled="false">
<providers>
<clear />
</providers>
</roleManager>
<profile defaultProvider="DefaultProfileProvider">
<properties>
<add name="Address" type="System.String" />
<add name="ZipCode" type="System.String" />
<add name="Locality" type="System.String" />
<add name="Email" type="System.String" />
<add name="FirstName" type="System.String" />
<add name="LastName" type="System.String" />
<add name="Language" type="System.String" />
<add name="Country" type="System.String" />
<add name="Company" type="System.String" />
<add name="Title" type="System.String" />
<add name="CustomExplorerTreePanel" type="System.String" />
<add name="FileManagerFavourites" type="System.Collections.Generic.List`1[System.String]" />
<add name="EditTreeSettings" type="EPiServer.Personalization.GuiSettings, EPiServer.Cms.AspNet" />
<add name="ClientToolsActivationKey" type="System.String" />
<add name="FrameworkName" type="System.String" />
</properties>
<providers>
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="EPiServerDB" applicationName="/" />
</providers>
</profile>

[0]: {aud: ***}
[1]: {iss: https://login.microsoftonline.com/***/v2.0}
[2]: {iat: ***}
[3]: {nbf: ***}
[4]: {exp: ***}
[5]: {aio: ***}
[6]: {c_hash: ***}
[7]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: ***}
[8]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname: ***}
[9]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname: ***}
[10]: {name: ***}
[11]: {nonce: ***}
[12]: {http://schemas.microsoft.com/identity/claims/objectidentifier: ***}
[13]: {preferred_username: ***}
[14]: {rh: *** }
[15]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: WebEditors}
[16]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: WebAdmins}
[17]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Administrators}
[18]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: ***}
[19]: {http://schemas.microsoft.com/identity/claims/tenantid: ***}
[20]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn: ***}
[21]: {uti: ***}
[22]: {ver: 2.0}

<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Antlr" version="3.5.0.2" targetFramework="net452" />
<package id="BuildBundlerMinifier" version="2.4.337" targetFramework="net461" />
<package id="Castle.Core" version="4.2.1" targetFramework="net461" />
<package id="Castle.Windsor" version="4.1.0" targetFramework="net461" />
<package id="Chart.js" version="2.5.0" targetFramework="net461" />
<package id="CsvHelper" version="7.1.0" targetFramework="net462" />
<package id="EntityFramework" version="6.1.3" targetFramework="net452" />
<package id="EPiServer.AddOns.Helpers" version="0.4.0.0" targetFramework="net462" />
<package id="EPiServer.Azure" version="10.0.1" targetFramework="net462" />
<package id="EPiServer.ChangeApproval" version="1.3.0" targetFramework="net462" />
<package id="EPiServer.CMS" version="11.20.1" targetFramework="net462" />
<package id="EPiServer.Cms.AddOns.Blocks" version="2.4.1" targetFramework="net461" />
<package id="EPiServer.CMS.AspNet" version="11.20.1" targetFramework="net462" />
<package id="EPiServer.CMS.Core" version="11.20.1" targetFramework="net462" />
<package id="EPiServer.CMS.TinyMce" version="2.13.0" targetFramework="net462" />
<package id="EPiServer.CMS.UI" version="11.30.1" targetFramework="net462" />
<package id="EPiServer.CMS.UI.Core" version="11.30.1" targetFramework="net462" />
<package id="EPiServer.ContentDeliveryApi.Cms" version="2.17.0" targetFramework="net462" />
<package id="EPiServer.ContentDeliveryApi.Core" version="2.17.0" targetFramework="net462" />
<package id="EPiServer.Forms" version="4.29.3" targetFramework="net462" />
<package id="EPiServer.Forms.Core" version="4.29.3" targetFramework="net462" />
<package id="EPiServer.Forms.Samples" version="3.6.0" targetFramework="net462" />
<package id="EPiServer.Forms.ServiceApi" version="3.5.0" targetFramework="net462" />
<package id="EPiServer.Forms.UI" version="4.29.3" targetFramework="net462" />
<package id="EPiServer.Framework" version="11.20.1" targetFramework="net462" />
<package id="EPiServer.Framework.AspNet" version="11.20.1" targetFramework="net462" />
<package id="EPiServer.GoogleAnalytics" version="2.3.2" targetFramework="net462" />
<package id="Episerver.GoogleMapsEditor" version="1.0.13.0" targetFramework="net462" />
<package id="EPiServer.Insight.Cms" version="1.22.0" targetFramework="net462" />
<package id="EPiServer.Insight.UI" version="1.22.0" targetFramework="net462" />
<package id="EPiServer.Logging.Log4Net" version="2.2.2" targetFramework="net461" />
<package id="EPiServer.Packaging" version="3.4.0" targetFramework="net461" />
<package id="EPiServer.Packaging.UI" version="3.4.0" targetFramework="net461" />
<package id="EPiServer.Personalization.Content.UI" version="0.2.0" targetFramework="net462" />
<package id="EPiServer.Personalization.MaxMindGeolocation" version="1.0.0" targetFramework="net462" />
<package id="EPiServer.Profiles.Client" version="1.22.0" targetFramework="net462" />
<package id="EPiServer.Profiles.Client.Common" version="1.22.0" targetFramework="net462" />
<package id="EPiServer.Search" version="9.0.3" targetFramework="net462" />
<package id="EPiServer.Search.Cms" version="9.0.3" targetFramework="net462" />
<package id="EPiServer.ServiceApi" version="5.4.5" targetFramework="net462" />
<package id="EPiServer.ServiceLocation.StructureMap" version="2.0.3" targetFramework="net462" />
<package id="EPiServer.Session" version="1.0.1" targetFramework="net462" />
<package id="EPiServer.Social" version="3.1.0" targetFramework="net462" />
<package id="EPiServer.TinyMCESpellChecker" version="2.0.0" targetFramework="net462" />
<package id="EPiServer.Tracking.Cms" version="1.22.0" targetFramework="net462" />
<package id="EPiServer.Tracking.Core" version="1.22.0" targetFramework="net462" />
<package id="EPiServer.Tracking.PageView" version="1.1.0" targetFramework="net462" />
<package id="EPiServer.VisitorGroupsCriteriaPack" version="2.0.1" targetFramework="net461" />
<package id="Galleria.js" version="1.4.2" targetFramework="net451" />
<package id="Geta.SEO.Sitemaps" version="3.1.3" targetFramework="net462" />
<package id="Geta.Tags" version="4.0.12" targetFramework="net462" />
<package id="ImageResizer" version="4.2.5" targetFramework="net461" />
<package id="ImageResizer.Plugins.AzureReader2" version="4.2.5" targetFramework="net462" />
<package id="ImageResizer.Plugins.DiskCache" version="4.2.5" targetFramework="net462" />
<package id="ImageResizer.Plugins.EPiFocalPoint" version="2.0.1" targetFramework="net461" />
<package id="ImageResizer.Plugins.EPiServerBlobReader" version="7.2.0" targetFramework="net462" />
<package id="ImageResizer.Storage" version="4.2.5" targetFramework="net462" />
<package id="ImageResizer.WebConfig" version="4.2.5" targetFramework="net461" />
<package id="jQuery" version="3.1.0" targetFramework="net452" />
<package id="jQuery.Validation" version="1.11.1" targetFramework="net462" />
<package id="Knockout.Mapping" version="2.4.0" targetFramework="net461" />
<package id="knockoutjs" version="3.4.0" targetFramework="net461" />
<package id="log4net" version="2.0.8" targetFramework="net461" />
<package id="Lucene.Net" version="3.0.3" targetFramework="net45" />
<package id="MaxMind.Db" version="2.4.0" targetFramework="net462" />
<package id="MaxMind.GeoIP2" version="3.0.0" targetFramework="net462" />
<package id="Microsoft.ApplicationInsights" version="2.9.1" targetFramework="net462" />
<package id="Microsoft.ApplicationInsights.Agent.Intercept" version="2.4.0" targetFramework="net462" />
<package id="Microsoft.ApplicationInsights.DependencyCollector" version="2.9.0" targetFramework="net462" />
<package id="Microsoft.ApplicationInsights.Log4NetAppender" version="2.9.1" targetFramework="net462" />
<package id="Microsoft.ApplicationInsights.PerfCounterCollector" version="2.9.0" targetFramework="net462" />
<package id="Microsoft.ApplicationInsights.Web" version="2.9.0" targetFramework="net462" />
<package id="Microsoft.ApplicationInsights.WindowsServer" version="2.9.0" targetFramework="net462" />
<package id="Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel" version="2.9.0" targetFramework="net462" />
<package id="Microsoft.AspNet.Cors" version="5.2.3" targetFramework="net45" />
<package id="Microsoft.AspNet.Identity.Core" version="2.2.1" targetFramework="net462" />
<package id="Microsoft.AspNet.Identity.Owin" version="2.2.1" targetFramework="net462" />
<package id="Microsoft.AspNet.Mvc" version="5.2.3" targetFramework="net45" />
<package id="Microsoft.AspNet.OData" version="5.6.0" targetFramework="net462" />
<package id="Microsoft.AspNet.Providers.Core" version="2.0.0" targetFramework="net45" />
<package id="Microsoft.AspNet.Razor" version="3.2.3" targetFramework="net45" />
<package id="Microsoft.AspNet.SignalR" version="2.0.3" targetFramework="net45" />
<package id="Microsoft.AspNet.SignalR.Core" version="2.0.3" targetFramework="net45" />
<package id="Microsoft.AspNet.SignalR.JS" version="2.0.3" targetFramework="net45" />
<package id="Microsoft.AspNet.SignalR.SystemWeb" version="2.0.3" targetFramework="net45" />
<package id="Microsoft.AspNet.TelemetryCorrelation" version="1.0.5" targetFramework="net462" />
<package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net45" />
<package id="Microsoft.AspNet.WebApi" version="5.2.3" targetFramework="net45" />
<package id="Microsoft.AspNet.WebApi.Client" version="5.2.6" targetFramework="net462" />
<package id="Microsoft.AspNet.WebApi.Core" version="5.2.3" targetFramework="net45" />
<package id="Microsoft.AspNet.WebApi.Cors" version="5.2.3" targetFramework="net45" />
<package id="Microsoft.AspNet.WebApi.Owin" version="5.2.3" targetFramework="net462" />
<package id="Microsoft.AspNet.WebApi.WebHost" version="5.2.3" targetFramework="net45" />
<package id="Microsoft.AspNet.WebPages" version="3.2.3" targetFramework="net45" />
<package id="Microsoft.Azure.KeyVault.Core" version="1.0.0" targetFramework="net45" />
<package id="Microsoft.Azure.Search" version="3.0.3" targetFramework="net462" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net462" />
<package id="Microsoft.CSharp" version="4.4.1" targetFramework="net462" />
<package id="Microsoft.Data.Edm" version="5.8.2" targetFramework="net461" />
<package id="Microsoft.Data.OData" version="5.8.2" targetFramework="net461" />
<package id="Microsoft.Data.Services.Client" version="5.8.2" targetFramework="net461" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.14.2" targetFramework="net462" />
<package id="Microsoft.IdentityModel.JsonWebTokens" version="5.3.0" targetFramework="net462" />
<package id="Microsoft.IdentityModel.Logging" version="5.3.0" targetFramework="net462" />
<package id="Microsoft.IdentityModel.Protocol.Extensions" version="1.0.4.403061554" targetFramework="net462" />
<package id="Microsoft.IdentityModel.Protocols" version="5.3.0" targetFramework="net462" />
<package id="Microsoft.IdentityModel.Protocols.OpenIdConnect" version="5.3.0" targetFramework="net462" />
<package id="Microsoft.IdentityModel.Tokens" version="5.3.0" targetFramework="net462" />
<package id="Microsoft.jQuery.Unobtrusive.Validation" version="3.2.3" targetFramework="net462" />
<package id="Microsoft.OData.Core" version="6.19.0" targetFramework="net462" />
<package id="Microsoft.OData.Edm" version="6.19.0" targetFramework="net462" />
<package id="Microsoft.Owin" version="4.1.1" targetFramework="net462" />
<package id="Microsoft.Owin.Host.SystemWeb" version="4.1.1" targetFramework="net462" />
<package id="Microsoft.Owin.Security" version="4.1.1" targetFramework="net462" />
<package id="Microsoft.Owin.Security.Cookies" version="4.1.1" targetFramework="net462" />
<package id="Microsoft.Owin.Security.OAuth" version="2.1.0" targetFramework="net462" />
<package id="Microsoft.Owin.Security.OpenIdConnect" version="4.1.1" targetFramework="net462" />
<package id="Microsoft.Owin.Security.WsFederation" version="3.0.1" targetFramework="net45" />
<package id="Microsoft.Rest.ClientRuntime" version="2.3.20" targetFramework="net462" />
<package id="Microsoft.Rest.ClientRuntime.Azure" version="3.3.6" targetFramework="net461" />
<package id="Microsoft.Spatial" version="6.19.0" targetFramework="net462" />
<package id="Microsoft.Tpl.Dataflow" version="4.5.24" targetFramework="net461" />
<package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" />
<package id="Microsoft.Web.RedisSessionStateProvider" version="2.2.0" targetFramework="net452" />
<package id="Microsoft.Web.Xdt" version="1.0.0" targetFramework="net461" />
<package id="Microsoft.WindowsAzure.ConfigurationManager" version="3.1.0" targetFramework="net462" />
<package id="mustache.js" version="0.7.2" targetFramework="net461" />
<package id="Newtonsoft.Json" version="11.0.2" targetFramework="net462" />
<package id="NHunspell" version="1.2.5554.16953" targetFramework="net452" />
<package id="NuGet.Core" version="2.7.2" targetFramework="net461" />
<package id="Owin" version="1.0" targetFramework="net45" />
<package id="PagedList" version="1.17.0.0" targetFramework="net452" />
<package id="PagedList.Mvc" version="4.5.0.0" targetFramework="net452" />
<package id="Postal.Mvc4" version="1.2.0" targetFramework="net45" />
<package id="RazorEngine" version="3.9.0" targetFramework="net452" />
<package id="Redlands.Insight" version="1.0.3" targetFramework="net462" />
<package id="SharpZipLib" version="0.86.0" targetFramework="net45" />
<package id="SiteImprove.EPiServer11.Plugin" version="2.7.0" targetFramework="net462" />
<package id="StackExchange.Redis.StrongName" version="1.1.603" targetFramework="net461" />
<package id="StructureMap" version="4.7.1" targetFramework="net462" />
<package id="structuremap.web" version="4.0.0.315" targetFramework="net461" />
<package id="structuremap.web-signed" version="3.1.6.191" targetFramework="net452" />
<package id="structuremap-signed" version="3.1.9.463" targetFramework="net461" />
<package id="System.ComponentModel.Annotations" version="4.4.0" targetFramework="net461" />
<package id="System.ComponentModel.EventBasedAsync" version="4.0.11" targetFramework="net461" />
<package id="System.Data.SqlClient" version="4.4.0" targetFramework="net461" />
<package id="System.Diagnostics.DiagnosticSource" version="4.5.0" targetFramework="net462" />
<package id="System.Dynamic.Runtime" version="4.0.0" targetFramework="net461" />
<package id="System.IdentityModel.Tokens.Jwt" version="5.3.0" targetFramework="net462" />
<package id="System.Linq.Queryable" version="4.0.0" targetFramework="net461" />
<package id="System.Net.Requests" version="4.0.11" targetFramework="net461" />
<package id="System.Reflection.Emit" version="4.3.0" targetFramework="net461" />
<package id="System.Reflection.Emit.Lightweight" version="4.3.0" targetFramework="net461" />
<package id="System.Security.AccessControl" version="4.4.0" targetFramework="net461" />
<package id="System.Security.Cryptography.Xml" version="4.4.2" targetFramework="net462" />
<package id="System.Security.Permissions" version="4.4.0" targetFramework="net461" />
<package id="System.Security.Principal.Windows" version="4.4.0" targetFramework="net461" />
<package id="System.Spatial" version="5.8.2" targetFramework="net461" />
<package id="System.Threading.AccessControl" version="4.4.0" targetFramework="net461" />
<package id="System.ValueTuple" version="4.5.0" targetFramework="net462" />
<package id="underscore.js" version="1.8.3" targetFramework="net461" />
<package id="WebGrease" version="1.6.0" targetFramework="net452" />
<package id="WindowsAzure.ServiceBus" version="6.0.0" targetFramework="net462" />
<package id="WindowsAzure.Storage" version="9.3.3" targetFramework="net462" />
</packages>

Value cannot be null.
Parameter name: userName

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: userName

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace:

[ArgumentNullException: Value cannot be null.
Parameter name: userName]
   EPiServer.Shell.Profile.ProfileRepository.GetOrCreateProfile(String userName) +89
   EPiServer.Cms.Shell.UI.Profile.CurrentUiCulture.Get(String userName) +20
   EPiServer.Shell.Web.Mvc.HttpContextBaseExtensions.SetCulture(HttpContextBase httpContext, ICurrentUiCulture currentUiCulture) +128
   EPiServer.Shell.Web.Mvc.ModuleMvcHandler.ProcessRequestInit(HttpContextBase httpContext) +23
   EPiServer.Shell.Web.Mvc.ModuleMvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) +14
   System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContext httpContext, AsyncCallback callback, Object state) +48
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) +16
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +444
   System.Web.<>c__DisplayClass285_0.<ExecuteStepImpl>b__0() +24
   System.Web.StepInvoker.Invoke(Action executionStep) +100
   System.Web.<>c__DisplayClass4_0.<Invoke>b__0() +17
   Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule.OnExecuteRequestStep(HttpContextBase context, Action step) +64
   System.Web.<>c__DisplayClass284_0.<OnExecuteRequestStep>b__0(Action nextStepAction) +54
   System.Web.StepInvoker.Invoke(Action executionStep) +84
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +100
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +163
#234901
Dec 04, 2020 18:30
Vote:
 

Hi Jonathan

It looks like the user name is not properly mapped when the user returns from Azure AD. By default the OpenIDConnect library expects a claim type with a long key ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), while your Azure AD setup returns one with a shorter one ("name").

Try adding the following piece of code to your OpenIdConnectAuthenticationOptions instance.

TokenValidationParameters = new TokenValidationParameters
{
    NameClaimType = "name" // Or "preferred_username",
    RoleClaimType = ClaimTypes.Role
}
#234925
Dec 05, 2020 19:02
Jonathan Otmar - Dec 05, 2020 19:32
Thank you for your quick response.  That was the issue.  Is there any documentation for how EPi matches profile properties to claims?  Thank you.
Stefan Holm Olsen - Dec 05, 2020 19:36
Happy to hear it fixed your issue.
I don't think Episerver keeps documentation about these claims. It is a Microsoft thing, which may be affected by the Azure AD configuration or a difference between v1 and v2 of the Authority URL.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.