-1

I'm using the IdentityServer3 Version (2.5.4) for the current project, everything works fine on my local machine (with IIS and IIS Express).

The customer has a Windows7 Embedded machine (without SP1!) with .NET 4.5 installed, we created a selfsigned SSL cert (with the current hostname, NOT localhost), but its not working. I'm always getting the error "Unable to get document from: https://xyz/.well-known/openid-configuration"

what is wrong with the configuration?

pbachman
  • 934
  • 2
  • 11
  • 18

2 Answers2

1

I found the Solution, it has nothing to do with the Configuration. The Installation of the Windows 7 SP1 has fixed it.

pbachman
  • 934
  • 2
  • 11
  • 18
0

In a couple of cases where we had this issue, it is mostly to do with network connectivity.

Few things which helped us figure out the root cause -

Access the "https://xyz/.well-known/openid-configuration" route from a browser on the server.

If you are not able to access the url then it means that the server is unable to connect to the Idserver installation. This is a network level issue.

If you are able to access the url from the server where the relying application is hosted, but the relying application is throwing an error -> it means that, a proxy is configured on the server. The browser automatically uses the proxy, where as you have to set the proxy in the relying party application as below in the startup.cs

  var request = WebRequest.Create(uri);
  var myProxy = new WebProxy {Address = new Uri("proxy uri")};
  request.Proxy = myProxy;           
  var response = request.GetResponse();

This will ensure that all the http requests originating from the code will also use the same proxy.

If the above doesnt help, Check if the IIS where Idserver is installed, allows TLS 1.0 and 1.1. THis is disabled on some servers for security purposes. If that is the case, use the below code to make ur application use tls 1.2 and the call will succeed

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
jothi
  • 332
  • 1
  • 5
  • 16
  • I'm getting the error, when i try to open the link directly on the server. I don't think it's a network issue. We added the following code in the Startup.cs (inside Configuration Method) `System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;`, but it's still not working. Has it to do with Windows 7 Embedded Standard (no SP1) ? – pbachman Apr 19 '17 at 08:01
  • It could be something to do with the idServer set up. Please check the trace.log file in your idserver installation web folder. The log file would lead you to the actual issue. – jothi Apr 20 '17 at 08:29
  • what setup or installation folder do you mean ? on the server is only the deployed version of our idServer project (including the IdentityServer3 DLLs). is there any prerequisites, that should be installed on the server? i can open the startpage of the IdentityServer3 (via https://hostname-of-the-server), but i cannot open the link https://hostname-of-the-server/.well-known/openid-configuration on the browser on the server. – pbachman Apr 21 '17 at 12:17
  • you would have deployed the idserver application on the server somewhere. Open that folder, where you have the web.config for the idserver. In the same location as the web.config, there will be a trace.log file, which will give detailed logging on what went wrong – jothi Apr 21 '17 at 15:51
  • We used Nlog for logging, here is the output of the log: `INFO 2017-04-21 16:15:13 Seed... INFO 2017-04-21 16:15:14 2 Users available WARN 2017-04-21 16:15:16 AuthorizationCodeStore not configured - falling back to InMemory WARN 2017-04-21 16:15:15 TokenHandleStore not configured - falling back to InMemory WARN 2017-04-21 16:15:15 ConsentStore not configured - falling back to InMemory WARN 2017-04-21 16:15:15 RefreshTokenStore not configured - falling back to InMemory INFO 2017-04-21 16:15:17 Welcome page requested - rendering` but no error message. – pbachman Apr 24 '17 at 06:02
  • as per the logs, it seems like the server is running without errors. Please check if the discovery document is turned ofIf you are able to change the default logging mechanism, then propbably you could check, if the discovery document is turned off. I am not sure where it could be done .This is just a guess. – jothi Apr 24 '17 at 09:15