本文介绍了Azure AD身份验证库-AcquireTokenAsync()获得SSL/TLS错误-根据验证过程,远程证书无效的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

最近,我们在使用Graph API的Web应用程序与Azure AD B2C集成中遇到了一些问题.

我们认为,该问题与一个或多个Azure AD Graph API终结点上的SSL/TLS证书有关(在https://login.microsoftonline.com上)

该问题似乎始于7月初(似乎与2018年6月30日的SSL3过时时间表保持一致).

在此之前,我们的代码可以使用Azure Active Directory身份验证库(ADAL).net与基于Graph API的Azure AD B2C集成正常运行.

现在,似乎ADAL身份验证上下文的AcquireTokenAsync()调用存在一些随机问题,引发以下异常:

2018-07-24T13:08:44  PID [6124]信息RemoteCertificateValidationCallback(F3B414056D8FB86D98FB6F282D8F451F0A87BA40,无)
2018-07-24T13:08:44  PID [6124]错误      AzureADRequest错误:System.AggregateException:发生一个或多个错误. ---> System.AggregateException:发生一个或多个错误. ---> System.Net.Http.HttpRequestException:一个 发送请求时发生错误. ---> System.Net.WebException:基础连接已关闭:无法建立SSL/TLS安全通道的信任关系. ---> System.Security.Authentication.AuthenticationException:远程 根据验证程序,证书无效.
    at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
    at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
    at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
    ---内部异常堆栈跟踪的结尾---
    at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult,TransportContext& context)
    at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
    ---内部异常堆栈跟踪的结尾---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(任务任务)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务任务)
    at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(任务任务)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper.< GetResponseAsync> d__31.MoveNext()

这个问题不会一直发生.它可以正常工作一会儿,然后可能在15-30分钟内无法工作,然后重新启动网络应用后,有一段时间可能会恢复正常.

似乎login.microsoftonline.com上的一台(或多台)身份验证服务器具有错误的SSL/TLS证书.

根据诊断跟踪,看来失败的证书似乎具有F3B414056D8FB86D98FB6F282D8F451F0A87BA40的指纹.
集成正常进行时,我们收到以下日志
2018-07-20T18:05:02  PID [6124]信息RemoteCertificateValidationCallback(D4444B60F628539C586F1AACE0AAA71F7AD8F726,无)

因此看来,Azure站点可以信任来自Azure AD的一个证书(D4444B60F628539C586F1AACE0AAA71F7AD8F726),而不能信任另一个证书(F3B414056D8FB86D98FB6F282D8F451F0A87BA40).
此外,当我们尝试使用本地开发环境(通过控制台应用程序测试或单元测试)进行连接时,我们可以始终正确获取令牌.因此,我们不确定这是否与Azure App Service或特定的数据中心/位置有关, 等

Recently we have run into some problem with our Web App integration with Azure AD B2C using Graph API.

We believe the problem has something to do with the SSL/TLS certificate on one or more of Azure AD Graph API endpoint (on https://login.microsoftonline.com)

The problem seems to start in early July (seems like to align with the SSL3 obsolete timeline of June 30, 2018).

Before hand, our code works fine with integration with Azure AD B2C over Graph API using the Azure Active Directory Authentication Library (ADAL) .net.

Now, it seems like there are some random issue with the ADAL authentication context’s AcquireTokenAsync() call to throw the following exception:

2018-07-24T13:08:44  PID[6124] Information RemoteCertificateValidationCallback(F3B414056D8FB86D98FB6F282D8F451F0A87BA40, None)
2018-07-24T13:08:44  PID[6124] Error       AzureADRequest Error: System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper.<GetResponseAsync>d__31.MoveNext()

The issue doesn’t happen all the time. It can be working fine for a while then it doesn’t work for maybe 15-30 min, then after restarting the web app there’s a chance that it’s back to normal for a while.

It seems like the one (or more) authentication servers on login.microsoftonline.com has a bad SSL/TLS certificate.

According to diagnostics trace, It seems like the failing certificate have the thumbprint of F3B414056D8FB86D98FB6F282D8F451F0A87BA40.

When the integration is working, we got the following log
2018-07-20T18:05:02  PID[6124] Information RemoteCertificateValidationCallback(D4444B60F628539C586F1AACE0AAA71F7AD8F726, None)

So it seems like that the Azure site can trust one certificate (D4444B60F628539C586F1AACE0AAA71F7AD8F726) from Azure AD but not the other (F3B414056D8FB86D98FB6F282D8F451F0A87BA40).

Furthermore, when we try to connect using our local dev environment, using either a console app test or unit test, we can get the token properly all the time. So we are not sure whether this is related to either Azure App Service or specific Data Center/Location, etc.

我们还尝试通过附加到ServicePointManager.ServerCertificateValidationCallback来覆盖ServerCertificateValidationCallback,但从未调用过它. (似乎ADAL库正在做自己的事情.)

We also tried to override the ServerCertificateValidationCallback by attaching to ServicePointManager.ServerCertificateValidationCallback, but it's never being called. (seems like the ADAL library is doing its own thing.)

任何帮助将不胜感激!


推荐答案

删除并重新安装证书后,重新启动后为我解决了这个问题.


这篇关于Azure AD身份验证库-AcquireTokenAsync()获得SSL/TLS错误-根据验证过程,远程证书无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-04 06:02
查看更多