2

This has been asked before but I am completely stuck and nothing so far has worked for me that has been listed in other questions. While this refers to Identity Server I think i have missed something in setting SSL up.

I have setup as follows (this is with IIS express not full IIS):

I get the error in the title on the line: 

app.UseIdentityServerBearerTokenAuthentication(options);

This is basically requesting some open configuration options from the server at auth.testhost.com:44373/core/.well-known/openid-configuration.

My options are:

Authority = "https://auth.testhost.com:44373/core",
RequiredScopes = new List<string>() { "api" }

In some examples I see a client id and secret, but they are not available in the options for me: is this a problem?

If you need to see any identity server options please say and I'll post. I ran the following command to create a cert:

makecert.exe -r -pe -n "CN=auth.testhost.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048

This generated the certificate, which I then exported to Trusted Root Certification Authorities.

From what I can tell, the SSL port bindings should be handled by Visual Studio as I am using IIS Express. Below are the bindings it has:

<site name="Authenticator_V2" id="2">
                <application path="/" applicationPool="Clr4IntegratedAppPool">
                    <virtualDirectory path="/" physicalPath="c:\users\user\documents\visual studio 2015\Projects\Authenticator_V2\Authenticator_V2" />
                </application>
                <bindings>
                    <binding protocol="http" bindingInformation="*:49755:localhost" />
                    <binding protocol="https" bindingInformation="*:44373:localhost" />
                    <binding protocol="https" bindingInformation="*:44373:auth.testhost.com" />
                </bindings>
            </site>
<site name="APIClient2" id="7">
                <application path="/" applicationPool="Clr4IntegratedAppPool">
                    <virtualDirectory path="/" physicalPath="C:\Users\user\documents\visual studio 2015\Projects\Authenticator_V2\APIClient2" />
                </application>
                <bindings>
                    <binding protocol="http" bindingInformation="*:53812:localhost" />
                    <binding protocol="https" bindingInformation="*:44356:localhost" />
                </bindings>
            </site>

This is my hosts file:

127.0.0.1               localhost
127.0.0.1               hybrid.testhost.com
127.0.0.1               auth.testhost.com

When I go to https://auth.testhost.com:44373/ I still have a red line through my protocol. I assume this means something has not been configured correctly still. I am using Chrome and clicking on the certificate gives:

"Your connection to this site is not private."

Details:

SHA-1 Certificate
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.

View certificate

Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

I looked at the ERR_CERT_COMMON_NAME_INVALID error and it seems that is a chrome bug. However my error is being thrown from the web services server trying to connect to the authentication server so I think I can ignore this one???

I also ran netsh to check there was a cert binding set up:

netsh http show sslcert ipport=0.0.0.0:44373

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:44373
    Certificate Hash             : HAS ODD HASH - REMOVED
    Application ID               : {HAS GUID - REMOVED}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

At this point a noticed this hash is not the right one for my certificate. It is for the IIS Express localhost. I found this link: IdentityServer: The remote certificate is invalid according to the validation procedure and copied the steps to move the localhost certificate into the Trusted Root Certification Authorities but unfortunately I still have the error. I now am not sure what else to do.

Scope Configuration:

new Scope
{
    Name = "api",
    DisplayName = "Can call API",
    Enabled = true,
    Type = ScopeType.Resource
    //ScopeSecrets = new List<Secret> {  }
}

All my clients have this scope.

Thanks

Fred Johnson
  • 2,539
  • 3
  • 26
  • 52
  • Is the certificate definitely added to the `Trusted Root Cert Authority` store of your `Computer Account` ? You need to run `MMC.exe` with admin privileges and select `Computer Account` – Seany84 Jul 25 '16 at 13:58
  • Hi, I believe so. I am in the window and both the certificate I made for auth.testhost.com and the localhost one that IIS Express uses are there. – Fred Johnson Jul 25 '16 at 14:03
  • Can you close your current MMC window and open it again with admin privileges, select Computer Account, and check if the cert is still there ? – Seany84 Jul 25 '16 at 14:06
  • it is there still :( – Fred Johnson Jul 25 '16 at 14:14
  • Your services connecting to idsrv are running your local machine as well, right? not on another machine not trusting this cert? – John Korsnes Jul 25 '16 at 18:56

1 Answers1

2

This issue was fixed by upgrading all but IdentityModel.Jwt to latest versions, which gave the options to set the Certificate and Issuer Name on the bearer options. Both of these were required to be set for the error to go away

Fred Johnson
  • 2,539
  • 3
  • 26
  • 52