在测试环境中通过 Azure Active Directory 执行身份验证过程时出错

Question

I'm implementing authentication by AD, for web project. When I run locally the authentication run successfully, but when it is take to the test environment it generates the following error:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'. ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.<GetDocumentAsync>d__8.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.<GetDocumentAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Protocols.OpenIdConn

settings made in the portal

settings Startup.Auth

public partial class Startup
{

    // Para obtener más información sobre cómo configurar la autenticación, visite https://go.microsoft.com/fwlink/?LinkId=301864

    private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
    private static string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
    private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
    private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
    private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
    private static string postLoginRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];


    public static readonly string Authority = aadInstance + tenantId;



    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        //https://www.jamessturtevant.com/posts/ASPNET-Identity-Custom-Database-and-OWIN/

        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = Authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                RedirectUri = postLoginRedirectUri
            });


        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie
        });
    }
}

Controller SingIn and SingOut

        public void SignIn()
        {
            // Enviar una solicitud de inicio de sesión a OpenID Connect.
            if (!Request.IsAuthenticated)
            {
                HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
            }
        }

        public void SignOut()
        {
            if (true)
            {
                // Send an OpenID Connect sign-out request.
                HttpContext.GetOwinContext().Authentication.SignOut(
                    OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
            }
        }

Answer 1

• Please check if proper internet connection is the issue while running on azure.

• The error means the application is not able to download the OpenId configuration document which has almost information that is required for that app in order to sign-in such as the URLs, location of the public signing keys of service's.

• Please make sure these two lines are in order otherwise it will error:

   .UseAuthentication().UseAuthorization()

• Also this error could be using the wrong tenantId or authority url in web.config file and “Instance": "https://login.microsoftonline.com/" To find out the error clearly. Set IdentityModelEventSource.ShowPII = true in your Startup.cs .

   if (env.IsDevelopment()) { // IdentityModelEventSource.ShowPII = true; // }

• And Please make sure to use the latest version (or to 4.7.2) of your dot-net framework as some of the tasks may require updated / latest version of .NET framework to work properly.

• Check and use the protocol - TLS 1.2 for application as TLS 1.1 or TLS 1.0 are depreciated.

• In some cases packages maybe still defaulting to TLS 1.1 even after changing that when loading that metadata and it may take time to reflect the correct one.

• To resolve, try to add the following in Global.asax.cs which will allow the openid-configuration to be obtained as it is pointed to tls1.2 or above and also change the tls to 1.2 in portal also.

   protected void Application_Start() { ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3; // allow TLSV1.2 and SSL3 only //or System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12; //other code }

References:

• asp.net - Randomly occurring Unable to retrieve document from: '[PII is hidden]' - Stack Overflow
• Enable TLS 1.2 support as Azure AD TLS 1.0/1.1 is deprecated - Active Directory | Microsoft Docs