ASP.NET Core - Auth error after deploy - IDX10503: Signature validation failed

0
votes

I'm creating an ASP.NET Core 1.1 MVC web site, with OpenID authentication to Azure AD. Authentication works fine locally on my dev machine. However, when I deploy it to the server, it throws an error after logging into the microsoft login redirect. I'be been researching online for about 2 days, and have found similar issues, but nothing exactly like this. My local dev box is windows 10, visual studio 2017. The server I am deploying to is Server 2008R2, with the .net core server hosting runtime installed.

Here are the errors: ERROR 2017-07-27 10:38:05,667 [4 ] on.OpenIdConnect.OpenIdConnectMiddleware - Exception occurred while processing message. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. ERROR 2017-07-27 10:38:05,680 [4 ] e.Diagnostics.ExceptionHandlerMiddleware - An unhandled exception has occurred: Invalid non-ASCII or control character in header: 0x000D System.InvalidOperationException: Invalid non-ASCII or control character in header: 0x000D at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.FrameHeaders.ThrowInvalidHeaderCharacter(Char ch) at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.FrameHeaders.ValidateHeaderCharacters(String headerCharacters) at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.FrameHeaders.ValidateHeaderCharacters(StringValues headerValues) at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.FrameResponseHeaders.SetValueFast(String key, StringValues value) at Microsoft.AspNetCore.Server.Kestrel.Internal.Http.FrameHeaders.Microsoft.AspNetCore.Http.IHeaderDictionary.set_Item(String key, StringValues value) at Microsoft.AspNetCore.Http.Internal.DefaultHttpResponse.Redirect(String location, Boolean permanent) at FastInfo.Web.Startup.Startup.OnAuthenticationFailed(FailureContext context) in C:\SourceCode\Fast\FastInfo\src\FastInfo.Web\Startup\Startup.cs:line 168 at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.<HandleRemoteCallbackAsync>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.d__15.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware1.<Invoke>d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware1.d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware1.<Invoke>d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware1.d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Session.SessionMiddleware.d__9.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.AspNetCore.Session.SessionMiddleware.d__9.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.d__6.MoveNext()

I am possibly missing some module or extension for OpenID tokens to work on IIS 7.5?

token header:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "VWVIc1WD1Tksbb301sasM5kOq5Q",
  "kid": "VWVIc1WD1Tksbb301sasM5kOq5Q"
}

payload (edited):
{
  "aud": "b0337ae2-2097-4dd3-be43-983fee4217bd",
  "iss": "https://sts.windows.net/{i removed guid}/",
  "iat": 1501263956,
  "nbf": 1501263956,
  "exp": 1501267856,
  "aio": "Y2ZgYDD9/5YpiT9XXmCDXMn/EzzPGa3nMbxfudOgpnfDsZk7/QMA",
  "amr": [
    "pwd"
  ],
  "c_hash": "02fpZ5B7FecFoRVdeJi6Qw",
  "family_name": "mylastname",
  "given_name": "Joe",
  "ipaddr": "##.###.###.##",
  "name": "Joe mylastname",
  "nonce": "636368610551942171.ZTU5ZGZmZmQtZDgzNS00MTEyLWExZjAtNWI3MTA2NGJlN2RkYzY0OTdkZjctZTZkMy00OTk2LWIxNjgtZTlhMDkxNmY0MzFh",
  "oid": "26945208-7b3f-45ed-9b40-f33b9d767071",
  "platf": "3",
  "roles": [
    "Admin"
  ],
  "sub": "y-sRfJAMdidDOedJeyr7kLhH8BCfkV_YCdyT1p2mOmk",
  "tid": "{i removed guid}",
  "unique_name": "[email protected]",
  "upn": "[email protected]",
  "ver": "1.0"
}

Thanks for any help, Joe

3
asp.net-mvcazure-active-directoryopenid-connectaspnetboilerplate
After more digging it looks like the Invalid non-ASCII error is not the cause of my auth issue. The ASCII error is thrown AFTER the token problem, when trying to direct to my error page. Long story short, I'm thinking the real, main issue is this: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: VWVIc1WD1Tksbb301sasM5kOq5Q '. Unfortunately there doesn't seem to be any indication of why this is failing. - Joe Washek
Would you minding show the claims in the token(both header and payload)? You can decode the token from this site. - Fei Xue - MSFT
On the JWT debug site you mentioned, what value do I put in the VERIFY SIGNATURE section. - Joe Washek
Based on the code, the token should be able to verified. I only see this issue when there is nonce claim in the header. To verify the signature from that site, you can compose the value with -----BEGIN CERTIFICATE-----{x5c}-----END CERTIFICATE----- . About value of x5c, you can refer the value from https://login.microsoftonline.com/common/discovery/keys by matching kid. Is the issue fixed? - Fei Xue - MSFT
I was able to get it to verify now on the JWT site. So it seems only the server I am deploying to is having the issue. It's Server 2008 R2 , IIS 7.5. Does it have anything to do with the https cert that I have on the server? - Joe Washek

3 Answers

0
votes

Since AADB2C will redirect to an HTTPS page, the headers are not well managed and you get this error. Enforce the https on any website using B2C and you may solve this issue

0
votes

The problem was the identity running the application pool. It didn't have enough rights, from when I've read and am thinking, not enough rights to access the cert.

0
votes

For me the error occurs when I want to debug and the visual studio configuration is set to Release