Hi we’re getting an error today with the auth.pritunl.com/callback/azure endpoint when SOME of our users login via SSO.
We’ve rotated the Azure Secret just in case and still getting this error.
This is the error from the server:
[2025-04-01 21:21:06,409][ERROR] Azure auth check request error
user_id = “60abe6c131a3d007176ece1c”
user_name = “user@domain.com”
status_code = 500
content = “b’'”
Also what was the design decision to use auth.pritunl.com as the redirect URI instead of our own hosted pritunl server address?
I’ve found the place where the error is being emitted, tried calling the url in Postman and was getting a 500 error for the problematic user, and 200 for a user who is able to login.
If the user hasn’t logged into the web console in a long time and single sign-on connection authentication is not used the OAuth token may have expired. They will need to login from the web console to perform a full OAuth authorization.
The authentication servers make the configuration simpler and avoid problems that can occur with multiple hosts that don’t have a load balancer for the web console. It also protects the paid features. If you are worried about third parties handling authentication, device authentication can be used to verify the user’s physical device using the TPM or Secure Enclave without any third party single sign-on. The high security environment documentation has information on all the additional security options.
Hi, even when these effected users go through the web console performing a full OAuth authorization, by clicking the SSO Sign in Via Azure button, they are able to login to Azure but get a similar 500 error at the callback step
Hi, we have the same issue from yesterday. Some users cannot use Pritunl VPN with an AUTH_FAILED error. The logs show “Azure auth check request error” for the problem users. The Azure secret for Pritunl has been checked and is not expired.
In case these users try to log in to the pritunl web-console, they receive 500 with the error “auth.pritunl.com can’t currently handle this request”.
Are there any suggestions for this?
I’ve found the place where the error is being emitted, tried calling the url in Postman and was getting a 500 error for the problematic user, and 200 for a user who is able to login.
Can you share a request example to test it from our side, please?
What Azure Region and Azure API Version are set in the top right settings?
What Azure Region and Azure API Version are set in the top right settings?
I cannot find “Azure Region” field in the settings. “Azure API Version” set in “Microsoft Graph”.
Older versions don’t have the option. You can try updating to a newer version of Pritunl and switching to Global (OAuth v1) or Global (OAuth v1). The version you have is likely using the legacy Azure AD Graph. From what I can find this will be disabled in June 2025.
You can reconstruct the request using the code: https://auth.pritunl.com/update/azure/user=<email>&license=<license_key>&directory_id=<azure_tenant_id>&app_id=<azure_application_id>&app_secret=<azure_application_secret>
for a user that is working you’ll get 200, for a problematic user 500
what is the latest version?
The latest stable release is v1.32.4181.41.
Yes, just making sure we were on the latest, we have that option you talked about, we switched to Global v1, Microsoft Graph was already selected, and now able to complete the flow e2e. We also switched off the sso_bypass now.
