Open in app

Sign in

Write

Sign in

Tracing a weird exception on Azure AD B2C

Rory Braybrook
The new control plane
Published in
2 min readMar 20, 2023
Image of red exclamation mark
PKua, Public domain, via Wikimedia Commons

The B2C error on the page is:

The page cannot be displayed because an internal server error has occurred.

The error in AppInsights is:

""Content"": "Web.TPEngine.StateMachineHandlers.SendErrorResponseToXmlHttpRequestClient"

There are no other details, attribute names etc., that could serve as clues.

To see how to use AppInsights, refer to this.

I previously wrote up some details here.

Since then, I’ve done some more research.

What you see going through the trace is:

“”EventName””: “”SELFASSERTED””,

“”StateName””: “”Microsoft.Cpim.Common.PolicyException””

“”Content””: “”Web.TPEngine.StateMachineHandlers.WarningExceptionTraceHandler””
},

and then the error.

I have only ever seen this error on a self-asserted page.

My educated guess is that this happens when B2C tries to render the page.

I created a test policy that:

  • Get a users’ email — “Get-Email”
  • Reads the user details — “AAD-UserReadUsingEmailAddress”
  • Display some attributes — “SelfAsserted-HTML”

The error happens on the third step.

As usual, the policy that causes the error is in the gist.

If you look at the policy, you see:

<ClaimType Id="extension_a">    
    <DataType>string</DataType>   
</ClaimType>

and this is defined as a string. Given that this is an output field in a self-asserted page:

<OutputClaims>
      <OutputClaim ClaimTypeReferenceId="accountEnabled"/>
      <OutputClaim ClaimTypeReferenceId="givenName"/>
      <OutputClaim ClaimTypeReferenceId="surname"/>
      <OutputClaim ClaimTypeReferenceId="extension_a"/>
      <OutputClaim ClaimTypeReferenceId="extension_b"/>
</OutputClaims>

it should have an input type as well, so let’s add:

<UserInputType>TextBox</UserInputType>

to “extension_a” and “extension_b”.

No, same error.

What about “accountEnabled”, “givenName”, and “surname”?

“givenName” and “surname” are both defined with a “UserInputType” of “TextBox” in the base policy file, but “accountEnabled” is simply a string.

So using inheritance, let’s augment the definition:

<ClaimType Id="accountEnabled">
    <UserInputType>TextBox</UserInputType> 
</ClaimType>

and add “DisplayName” to the extensions for readability.

Bingo!

The page is finally displayed:

Image of output page showing all the fields.

I then added:

<ClaimType Id="extension_dob">
    <DisplayName>Extension DoB</DisplayName>      
    <DataType>dateTime</DataType> 
    <UserInputType>TextBox</UserInputType>   
</ClaimType>

just to check a different data type, and again the error occurred until I added a TextBox.

The gist that displays correctly is here.

The trick is to look for reasons why the page can’t render!

All good!

Azure Ad B2c
Azure B2c
Custom Policies
Error Message

--

--

Rory Braybrook
The new control plane

Written by Rory Braybrook

714 Followers
Editor for

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams