UseWsFederationAuthentication - AuthenticationException: The remote certificate is invalid according to the validation procedure

5
votes

I am getting an error every time I try to run my MVC project on my development box through VS2015 and IIS Express. It uses this code to authenticate against our ADFS server.

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseWsFederationAuthentication(
                new WsFederationAuthenticationOptions
                {
                    Wtrealm = realm,
                    MetadataAddress = adfsMetadata
                });

This is the error I am getting in the browser.

[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +231
System.Net.PooledStream.EndWrite(IAsyncResult asyncResult) +15
System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +119

[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +606 System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +64

[HttpRequestException: An error occurred while sending the request.]
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +28 Microsoft.IdentityModel.Protocols.d__0.MoveNext() +453

[IOException: Unable to get document from: https://adfs.DOMAIN.com/FederationMetadata/2007-06/FederationMetadata.xml] Microsoft.IdentityModel.Protocols.d__0.MoveNext() +830 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter1.GetResult() +28 Microsoft.IdentityModel.Protocols.<GetAsync>d__1.MoveNext() +606 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter1.GetResult() +28 Microsoft.IdentityModel.Protocols.d__3.MoveNext() +1332

[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://adfs.DOMAIN.com/FederationMetadata/2007-06/FederationMetadata.xml'.] Microsoft.IdentityModel.Protocols.d__3.MoveNext() +2226 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +28 Microsoft.Owin.Security.WsFederation.d__c.MoveNext() +772 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26 Microsoft.Owin.Security.Infrastructure.d__b.MoveNext() +447 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26 Microsoft.Owin.Security.Infrastructure.d__8.MoveNext() +440 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26 Microsoft.Owin.Security.Infrastructure.d__5.MoveNext() +266 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26 Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +1174 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +287 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26 Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +937 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +287 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__2.MoveNext() +272 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +26 Microsoft.Owin.Host.SystemWeb.Infrastructure.ErrorState.Rethrow() +33 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +150
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +42
System.Web.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar) +9791593

It was working and now it doesn't any more. Kind of like my kids doing dishes. :)

Any thoughts on why this is not working, why the remote certificate is invalid according to the validation procedure (Where is that procedure?), and how I can get this back up and running?

Thanks so much!

2
asp.net-mvcssl-certificateowinws-federationadfs3.0

2 Answers

2
votes

According to stack trace, the first step of the authentication process is that your application needs to download ADFS' metadata via https and that the SSL certificate doesn't pass the validation procedure.

You can refer to other questions in SO for what the validation procedure is: The remote certificate is invalid according to the validation procedure

There are probably two ways to fix it:

  1. The hack, must-not-use-for-production is to disable the check: "The remote certificate is invalid according to the validation procedure." using Gmail SMTP server
  2. If the SSL certificate is not self-signed and is still valid (e.g. is issued by a trusted CA, is not expired and is not revoked yet), you may need to check your client machine if it trusts the CA. This case is rarer.
3
votes

Again, thank you Thuan for your answer.

From the answer I was able to think through what really was happening (which is always critical in order to figure things out). The key was realizing that the issue stemmed from the remote certificate failing the validation check and nothing else. So I found that in the UseWsFederationAuthentication call there is a BackchannelCertificateValidator option that could be used to validate if the certificate was valid or not. I then found this post that helped me come up with the code to validate the certificate.

The post found their code from the Microsoft site (https://msdn.microsoft.com/en-us/library/office/dd633677(v=exchg.80).aspx). In the article it says this about the code.

The certificate validation callback method in this example provides sufficient security for development and testing of EWS Managed API applications. However, it may not provide sufficient security for your deployed application. You should always make sure that the certificate validation callback method that you use meets the security requirements of your organization.

So I will have to figure something out so that it only runs in debug mode.

The code:

public void ConfigureAuth(IAppBuilder app)
        {

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseWsFederationAuthentication(
                new WsFederationAuthenticationOptions
                {

                    BackchannelCertificateValidator = new CertificateValidator(),

                    Wtrealm = realm,
                    MetadataAddress = adfsMetadata
                });
        }

The class:

public class CertificateValidator : ICertificateValidator
    {
        public bool Validate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            // If the certificate is a valid, signed certificate, return true.
            if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
            {
                return true;
            }

            // If there are errors in the certificate chain, look at each error to determine the cause.
            if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
            {
                if (chain != null && chain.ChainStatus != null)
                {
                    foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
                    {
                        if ((certificate.Subject == certificate.Issuer) &&
                           (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
                        {
                            // Self-signed certificates with an untrusted root are valid. 
                            continue;
                        }
                        else
                        {
                            if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
                            {
                                // If there are any other errors in the certificate chain, the certificate is invalid,
                                // so the method returns false.
                                return false;
                            }
                        }
                    }
                }

                // When processing reaches this line, the only errors in the certificate chain are 
                // untrusted root errors for self-signed certificates. These certificates are valid
                // for default Exchange server installations, so return true.
                return true;
            }
            else
            {
                // In all other cases, return false.
                return false;
            }
        }
    }