IDX10803: Unable to create to obtain configuration from: 'https://login.microsoftonline.com/{Tenant-ID}/.well-known/openid-configuration'

Question

For the past 5 years I'm using Azure IoT remote monitoring solution and using the Azure AD authentication for securing the application and APIs, from last Saturday I'm getting the error below while sign in (yellow screen):

IDX10803: Unable to create to obtain configuration from: 'https://login.microsoftonline.com/{Tenant-ID}/.well-known/openid-configuration'.

This is my authentication related startup code:

public void ConfigureAuth(IAppBuilder app, IConfigurationProvider configProvider)
    {
        string aadClientId = configProvider.GetConfigurationSettingValue("ida.AADClientId");
        string aadInstance = configProvider.GetConfigurationSettingValue("ida.AADInstance");
        string aadTenant = configProvider.GetConfigurationSettingValue("ida.AADTenant");
        string authority = string.Format(CultureInfo.InvariantCulture, aadInstance, aadTenant);

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());


        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true, ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] }
            });


        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = aadClientId,
                Authority = authority,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = false
                },
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    RedirectToIdentityProvider = (context) =>
                    {
                        string appBaseUrl = context.Request.Uri.Scheme + "://" + context.Request.Uri.Authority + "/";
                        context.ProtocolMessage.RedirectUri = appBaseUrl;
                        context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
                        return Task.FromResult(0);
                    },
                    AuthenticationFailed = context =>
                    {
                        string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;

                        context.ProtocolMessage.RedirectUri = appBaseUrl + "/";
                        context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
                        context.HandleResponse();
                        context.Response.Redirect(context.ProtocolMessage.RedirectUri);

                        return Task.FromResult(0);
                    }
                }
            });
    }

I'm using azure app service for hosting my web application, it is built on .NET framework 4.6. I changed my web app's minimum TLS version to 1.2 from 1.0.

I can see lot of question related this but couldn't find a proper answer for this, that's why I'm posting this. If more information required I can provide. Thanks

Edit: My web application is not having an SSL certificate, due to certain reasons we can't use it.

I´m having the exact same issue right now. The problem also appeared over the weekend. Have you figured anything yet?. I'll post here if I find the solution. — Raúl Bojalil, Jul 25 '22 at 15:41
Exact same issue here. Application has been up for years, quit working over the weekend. Haven't found anything yet. — Brent Waggoner, Jul 25 '22 at 17:35

Brent Waggoner · Accepted Answer · 2022-07-29T17:17:43.337

Resolved my issue. I've found two approaches.

In my case, the OWIN packages were defaulting to using TLS 1.1 when loading that metadata. Apparently they're rolling out the full deprecation of those SSL certificates right now, hence the breakage over the weekend. Both approaches force any calls that occur within the OpenConnect process to use TLS 1.2 or above and will allow the openid-configuration to be obtained.

Option 1

You can add the following in Global.asax.cs:

using System.Net;
.
.
protected void Application_Start()
{
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3; // only allow TLSV1.2 and SSL3

    //The rest of your startup code goes here
}

Option 2

There's another method as well using web.config that doesn't involve code changes. If .NET 4.7.2 is available (which it is on Azure), you can add the following:

<system.web>
  <httpRuntime targetFramework="4.7.2" />
</system.web>

This may not work if using the 4.7.2 runtime causes breaking changes to your app. It doesn't require updating the compilation version and in the scenarios I tested it caused no issues.

Thank you so much. I went for Option 2 and it worked. I changed an existing line to be like this: . You have made my day. — Gail Foad, Aug 08 '22 at 11:07
Thank you very much! Option 1 also worked, for a .NET 4.5.2 project. — KungFury, Sep 12 '22 at 13:44
@KungFury Bear in mind that Microsoft specifically advises _against_ using Option 1. Using .NET 4.7+, either by recompiling your app, or using `` if it's a web app, is the preferable approach. More information here: https://stackoverflow.com/a/58195987/1945651 — JLRishe, Sep 23 '22 at 13:49

IDX10803: Unable to create to obtain configuration from: 'https://login.microsoftonline.com/{Tenant-ID}/.well-known/openid-configuration'

1 Answers1

Linked