Asp.Net core bug? Blazor/Http.Sys with Windows Authentication shows "The connection was reset"?

Question

Update: Just tried the official example https://github.com/aspnet/AspNetCore.Docs/tree/master/aspnetcore/fundamentals/servers/httpsys/samples/3.x/SampleApp and it doesn't work.

Brower message:

This site can’t provide a secure connection
localhost sent an invalid response.

Output:

info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[0]
      User profile is available. Using 'C:\Users\xxx\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.
warn: Microsoft.AspNetCore.Server.HttpSys.MessagePump[0]
      Overriding address(es) 'https://localhost:5001, http://localhost:5000'. Binding to endpoints added to UrlPrefixes instead.
info: Microsoft.AspNetCore.Server.HttpSys.HttpSysListener[0]
      Start
info: Microsoft.AspNetCore.Server.HttpSys.HttpSysListener[0]
      Listening on prefix: http://localhost:5005/
info: Microsoft.Hosting.Lifetime[0]
      Now listening on: http://localhost:5005/
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: C:\Users\xxx\Downloads\AspNetCore.Docs-master\AspNetCore.Docs-master\aspnetcore\fundamentals\servers\httpsys\samples\3.x\SampleApp

---

I created a new Blazor application with Windows Authentication. (Visual Studio 2019 V16.4.0, .Net Core 3.1).

Now Windows Authentication works (the top right corner of the web page shows "Hello Domain\\Username!") when running with IIS Express in Visual Studio. But Windows Authentication is not working when running as Kestrel application.

I followed the steps in the following link to make Windows Authentication work with Http.Sys. (BTW, I tried [Kestrel/Negotiate][1] but no luck)

https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-3.1

Basically, it just adds the call of webBuilder.UseHttpSys() in CreateHostBuilder() in Program.cs .

    public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseHttpSys(options =>
                {
                    options.AllowSynchronousIO = true;
                    options.Authentication.Schemes = AuthenticationSchemes.None;
                    options.Authentication.AllowAnonymous = true;
                    options.MaxConnections = null;
                    options.MaxRequestBodySize = 30000000;
                    // options.UrlPrefixes.Add("http://*:5005");
                });
                webBuilder.UseStartup<Startup>();
            });

However, running the application will get an error page with message of

This site can’t be reached
The connection was reset.

or

This site can’t provide a secure connection
localhost sent an invalid response.

Edge's error messages are:

There was a temporary DNS error. Try refreshing the page.
Error Code: INET_E_RESOURCE_NOT_FOUND

IE error message:

Can't connect securely to this page

This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website's owner.

Answer 1

The solution is to relocate your certs, and do a bunch of manual configuration that doesn't seem like it should be necessary: I was following the Configure Windows Server section of the http.sys example fairly closely, but ran into issues with the netsh http sslcert commands. The problem is with where dotnet dev-certs https --trust installs the certificate! In What is the default location for certificates created using "dotnet dev-certs https" it's pointed out that that tool installs certificates in the current user's certificate store, not the local computer store. I had to add both certificate stores to mmc and copy the localhost cert over into Certificates (Local Computer)\\Personal\\Certificates , at which point the sslcert command completed, and when I ran the test application, it was successfully able to connect with TLS.