search

IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
410 stars 291 forks source link

Redirect loop when attempting to access STS #140

Closed jamiejamie closed 11 years ago

jamiejamie commented 11 years ago

I have Identity Server (v1) installed on a demo server (2008 SP2--no R2) with IIS7 and a wildcard cert from a trusted cert authority. When attempting to navigate to the STS from a machine that's not on the same domain, it gets into a redirect loop. Eventually, the browser aborts. I have no problems accessing the site from a machine that is on the same domain. Windows auth is not enabled.

Can anyone point me to something I may have misconfigured? Is there a problem with use of a wildcard cert?

Here's what I'm seeing in Fiddler: 1st request: CONNECT sts.mydomain.com:443 HTTP/1.0 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Host: sts.mydomain.com Content-Length: 0 DNT: 1 Connection: Keep-Alive Pragma: no-cache

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

1st response: HTTP/1.0 200 Connection Established FiddlerGateway: Direct StartTime: 13:20:21.398 Connection: close Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list. Secure Protocol: Tls Cipher: Aes128 128bits Hash Algorithm: Sha1 160bits Key Exchange: RsaKeyX 2048bits == Server Certificate ========== [Subject] CN=_.mydomain.com, OU=Domain Control Validated, O=_.mydomain.com [Issuer] [Serial Number] [Not Before] 7/22/2011 9:39:00 AM [Not After] 7/22/2014 9:39:00 AM [Thumbprint] 2nd-nth request: GET https://sts.mydomain.com/ HTTP/1.1 Accept: text/html, application/xhtml+xml, _/_ Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Accept-Encoding: gzip, deflate Host: sts.mydomain.com DNT: 1 Connection: Keep-Alive 2nd-nth response: HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Content-Length: 143 Date: Mon, 11 Mar 2013 17:30:58 GMT Location: https://sts.mydomain.com/ Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Cache-Control: private X-AspNetMvc-Version: 3.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET
leastprivilege commented 11 years ago

Hm - hard to tell. Have you tried v2?

jamiejamie commented 11 years ago

Will try it.

leastprivilege commented 11 years ago

any news?

jamiejamie commented 11 years ago

FYI, I finally got around to debugging this. I found the issue to be that the firewall was terminating SSL connection before routing to the server. Admin swears it is not, but IIS log clearly shows that the request is coming in on port 80, not 443. This caused the SslRedirectFilter to redirect to SSL and the loop continued until the browser finally aborted.

line 19 from SslRedirectFilter: if (!filterContext.HttpContext.Request.IsSecureConnection)

leastprivilege commented 11 years ago

OK. thanks for the update.