Login/Register
IDX10803: Unable to create to obtain configuration
Asked Answered
Solved openid-connectidentityserver3
H

8

24

My configuration has 3 sites: Identity Server (Idp), Windows Authentication host and my end-user client site. On the client site, I request a controller decorated with [Authorize] and Identity Server kicks in.

The windows host at port 44305 is apparently throwing an exception and the identity server is receiving a status 500. I can access the windows host site URL without any problem. I get back an XML document

How do I debug and find out what that exception or error is that is stopping this authentication process? I get a 3 part exception with the inner most as the following

InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://localhost:44305/'.

Microsoft.IdentityModel.Protocols.ConfigurationManager`1.<GetConfigurationAsync>d__3.MoveNext() in ConfigurationManager.cs

The Windows Host OWIN startup is using UseWindowsAuthenticationService

The Identity Server OWIN is using AuthenticationOptions = WsFederationAuthenticationOptions

var wsFederationOptions = new WsFederationAuthenticationOptions
            {
                AuthenticationType = "windows",
                Caption = "Windows",
                SignInAsAuthenticationType = signInAsType,
                MetadataAddress = "https://localhost:44305/",
                Wtrealm = "urn:idsrv3"
            };
            app.UseWsFederationAuthentication(wsFederationOptions);
        }

Here are the requests and responses

Request URL:https://localhost:44315/
Request Method:GET
Status Code:302 Found
Response:Location:https://localhost:16433/connect/authorize?client_id=hms2015&redirect_uri=...

Request: https://localhost:16433/connect/authorize?client_id=hms2015&redirect_uri=...
Request Method:GET
Status Code:302 Found
Location:https://localhost:16433/login?signin=fde7508a6634698847c3076c9028604b

Request URL:https://localhost:16433/login?signin=fde7508a6634698847c3076c9028604b
Request Method:GET
Status Code:500 Internal Server Error

I have no visible SSL issues. With my browser, I can open all the pages from the different sites without any warning. I add my localhost IIS Express cert to the Trusted Root Cert.

Hustler answered 30/3, 2016 at 4:52 Comment(0)
H
0

Another developer on the team helped find the issue. The Windows Authentication host running at port 44305 had anonymous disabled. When this was enabled, the redirected process began to work again.

Regrettably, we didn't actually detect the error, but, through trial & error (hacking) it was fixed. My main question was how do I debug an OWIN app so I could actually see the HTTP 500's details. I wish the IdentityServer3 logs could have recorded the response from the Win Auth host. Also why isn't that a 401 response code?

Hustler answered 31/3, 2016 at 20:3 Comment(1)
In our case the IIS Application Pool User didn't have the necessary permissions.Pinwork
G
21

I had the same problem - it seems that the SSL cert was untrusted. To resolve this I moved the "localhost" IIS Express Cert from the Personal CertStore to the Trusted Root Certification Authorities and the issue was gone.

Cert

Gissing answered 6/12, 2016 at 13:38 Comment(2)
I know this is an old post but 'moving' the cert to the Trusted Root didn't work. It looked like IIS refused to acknowledge the cert. I had to 'copy' it so that it was in both the Personal Certificates and the Trusted Root and then it worked.Worsham
Adding to Robert Muehsig's answer and LukeP's comment: I had to export a localhost development certificate from my Personal certificate store and import it into the trusted root certificates of the Machine certificate store for this to work.Comate
B
19

I had this problem, and needed to trust the certificate as per Robert Muehsig answer.

But this on its own wasn't enough. I'm using Bearer Token Authentication. A bit of further digging revealed that I needed to set the DelayLoadMetadata flag to true.

So in my Web API startup:

app.UseIdentityServerBearerTokenAuthentication(
    new IdentityServerBearerTokenAuthenticationOptions
{
    DelayLoadMetadata=true
});

After this and the certificate trust change it started working. I know this isn't the same config as the original problem, but during my searching I kept coming across this post so thought I'd put this here for anyone else who stumbles across it...

Babu answered 20/2, 2017 at 10:21 Comment(2)
Thanks for posting this answer. Worked like a charm.Haemophilic
Crazy stuff - a year later I discovered my own answer with this nice comment again and this helped me alot!Gissing
B
5

From my memory, this error is thrown mostly due to the certificate trust / network access issue. Since you are running all the components in local host, it is definitely not a network issue. I assume you are running from VS Dev environment.

Couple of things:

  • Try hosting the components in the IIS server
  • Instead of using localhost, create a self-signed certificate for your host and try assigning your hostname as the subject name (Please note - idsrv3test certificate for signing and self-signed certificate for host SSL)

Also, Assign permissions to read the certificate as described here https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Certificates

If you still face this issue, try monitoring the traffic via Wireshark (Fiddler won't work in this case )

Bonita answered 30/3, 2016 at 23:21 Comment(2)
Karthik, I'd love to learn more about monitoring the traffic. I would really appreciate it if you would share web pages you found helpful to learn about monitoring. Please share.Hustler
@MADCookie- I am assuming you are after WireShark traffic monitoring. This link gives a very brief intro to WireShark troyhunt.com/2013/04/… (under section - Packet capturing)Bonita
O
3

For testing purposes, I added the below block as the first piece of middleware in my pipeline. This will actually log the exception whenever one occurs. This lead me to see that my 500 actually was a 401.

        appBuilder.Use(async (context, next) =>
        {
            try
            {
                await next();
            }
            catch(Exception ex)
            {
                Log.Error(ex, "OWIN error.");
            }

        });
Oshea answered 8/8, 2016 at 19:17 Comment(0)
H
0

Another developer on the team helped find the issue. The Windows Authentication host running at port 44305 had anonymous disabled. When this was enabled, the redirected process began to work again.

Regrettably, we didn't actually detect the error, but, through trial & error (hacking) it was fixed. My main question was how do I debug an OWIN app so I could actually see the HTTP 500's details. I wish the IdentityServer3 logs could have recorded the response from the Win Auth host. Also why isn't that a 401 response code?

Hustler answered 31/3, 2016 at 20:3 Comment(1)
In our case the IIS Application Pool User didn't have the necessary permissions.Pinwork
A
0

It could be because of proxy authentication as well. Try to check the fiddler traffic for login.microsoftonline.com:XXX calls and see if it is returning 407 error code.

If you see 407 error code, you need to enable proxy authentication in web.config

Amytal answered 30/1, 2017 at 3:32 Comment(0)
L
0

My team faced following issues: [Error] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Exception occurred while processing message. System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://[your identity server domain]/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://[your identity server domain].well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken) --- End of inner exception stack trace ---

We spent a lot of time to find out the reason. Finally, just a very simply mistake, in UAT environment, the hosts file setup was incorrect in "C:\Windows\System32\drivers\etc". The domains defined in the hosts file doesn't match the domains binding in IIS.

Laurenelaurens answered 29/10, 2018 at 16:27 Comment(0)
P
0

In my case, I was dumb and had the IdentityServer host stopped. Once I started it, the other services could get again the metadata they were looking for.

Posterity answered 10/4, 2020 at 4:2 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.