HTTPS in IdentityServer4 and ASP.NET Core 2

[MV10]

Written on 2018-01-05 10:04:43 AM

URL: https://mcguirev10.com/2018/01/05/https-identityserver-aspnetcore.html

[MV10]

Migrated comment by JuandeDios Calix on 2018-05-11 12:58:44 PM

Thank you very much for this great post.

I Just read it, Ill be reading/trying all the IdSrv4 next week.
I should be asking right now, but, if understand correctly, the whole kestrel configuration will work when the app runs from IIS?.
Thank your

[MV10]

Migrated comment by MV10 on 2018-05-14 5:29:52 AM

Glad you enjoyed it. Yes, correct, Kestrel runs "behind" IIS in the .NET Core world.

[MV10]

Migrated comment by edwin on 2018-06-05 5:53:06 AM

I was able to run this in visual studio. but after publishing it to IIS it stopped working with an exception Application startup exception: System.ArgumentNullException: Value cannot be null.
Parameter name: certificate

Do you have any idea on how i can solve this?

[MV10]

Migrated comment by MV10 on 2018-06-05 6:03:12 AM

I'm traveling so I can't look into this further, but I haven't seen that problem. If you're using ASP.NET Core 2.1 instead of 2.0, that might be an issue. I haven't tried any of these older articles with 2.1 yet.

[MV10]

Migrated comment by edwin on 2018-06-05 6:31:06 AM

the token certificates are not installed ill have to manually add them to the local machine store

[MV10]

Migrated comment by parkinsona on 2019-03-11 2:23:00 AM

Thanks for the only article on this I can seem to find.

I am getting a 502 error constantly with this showing in my log:

I should mention I've tried 5.1 and 5.2


















2019-03-11 08:49:15.422 +10:00 [Error] An exception


occurred while processing the key element '"<key id="\"e2d81a92-3afa-49e5-81df-d59296f0d31a\"" version="\"1\""/>"'.




















System.Security.Cryptography.CryptographicException:


Error occurred during a cryptographic operation.




















at


Microsoft.AspNetCore.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapiCore(Byte*


pbProtectedData, UInt32 cbProtectedData, Byte* pbOptionalEntropy, UInt32


cbOptionalEntropy)




















at


Microsoft.AspNetCore.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapi(Byte[]


protectedSecret)




















at


Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor.Decrypt(XElement


encryptedElement)




















at


Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement


element, IActivator activator)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement


keyElement)




















at


System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)




















at


System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication,


Boolean useDefaultConstructor)




















at


System.Lazy`1.CreateValue()




















at


Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey


key)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey


key)




















2019-03-11 08:49:21.201 +10:00 [Error] An exception occurred while trying to decrypt


the element.




















System.Security.Cryptography.CryptographicException:


Error occurred during a cryptographic operation.




















at


Microsoft.AspNetCore.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapiCore(Byte*


pbProtectedData, UInt32 cbProtectedData, Byte* pbOptionalEntropy, UInt32


cbOptionalEntropy)




















at


Microsoft.AspNetCore.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapi(Byte[]


protectedSecret)




















at


Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor.Decrypt(XElement


encryptedElement)




















at


Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement


element, IActivator activator)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement


keyElement)




















at


System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)




















at


System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication,


Boolean useDefaultConstructor)




















at


System.Lazy`1.CreateValue()




















at


Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey


key)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.KeyHolder.GetEncryptorInstance(Boolean&


isRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.GetAuthenticatedEncryptorByKeyId(Guid


keyId, Boolean& isRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[]


protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus&


status)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[]


protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration,


Boolean& wasRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[]


protectedData)




















at


Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String


serializedToken)




















2019-03-11 08:49:21.202 +10:00 [Error] An exception


occurred while processing the key element '"<key id="\"e2d81a92-3afa-49e5-81df-d59296f0d31a\"" version="\"1\""/>"'.




















System.Security.Cryptography.CryptographicException:


Error occurred during a cryptographic operation.




















at


Microsoft.AspNetCore.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapiCore(Byte*


pbProtectedData, UInt32 cbProtectedData, Byte* pbOptionalEntropy, UInt32


cbOptionalEntropy)




















at


Microsoft.AspNetCore.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapi(Byte[]


protectedSecret)




















at


Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor.Decrypt(XElement


encryptedElement)




















at


Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement


element, IActivator activator)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement


keyElement)




















at


System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)




















at


System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication,


Boolean useDefaultConstructor)




















at


System.Lazy`1.CreateValue()




















at


Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey


key)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.KeyHolder.GetEncryptorInstance(Boolean&


isRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.GetAuthenticatedEncryptorByKeyId(Guid


keyId, Boolean& isRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[]


protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus&


status)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[]


protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration,


Boolean& wasRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[]


protectedData)




















at


Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String


serializedToken)




















2019-03-11 08:49:21.205 +10:00 [Error] An exception was thrown while deserializing


the token.




















Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException:


The antiforgery token could not be decrypted. --->


System.Security.Cryptography.CryptographicException: Error occurred during a


cryptographic operation.




















at


Microsoft.AspNetCore.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapiCore(Byte*


pbProtectedData, UInt32 cbProtectedData, Byte* pbOptionalEntropy, UInt32


cbOptionalEntropy)




















at


Microsoft.AspNetCore.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapi(Byte[]


protectedSecret)




















at


Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor.Decrypt(XElement


encryptedElement)




















at


Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement


element, IActivator activator)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement


keyElement)




















at


System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)




















at


System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication,


Boolean useDefaultConstructor)




















at


System.Lazy`1.CreateValue()




















at


Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey


key)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.KeyHolder.GetEncryptorInstance(Boolean&


isRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.GetAuthenticatedEncryptorByKeyId(Guid


keyId, Boolean& isRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[]


protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus&


status)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[]


protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration,


Boolean& wasRevoked)




















at


Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[]


protectedData)




















at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String


serializedToken)




















--- End of inner


exception stack trace ---




















at


Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String


serializedToken)




















at


Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext


httpContext)

[MV10]

Migrated comment by Michael Götz on 2019-03-27 8:33:41 AM

Hello Jon,

I followed your guide to get my applications running. But unfortunately my SignalR-Clients can`t connect to my server because of the exception with this message:

"the remote certificate is invalid according to the validation procedure"

Seems that the self-signed certificate isn`t valid, but how can i get it to?
Just want to use it for internal purposes.

Next thing is that in part one of your guide you write: "The token certificates are automatically added to the “Personal” section of the “Local Machine” store" but the screenshot shows current user store. Where do the certificates belong to?

Best regards..

[MV10]

Migrated comment by Javaad Patel on 2019-04-03 11:55:56 AM

Hi Jon,

Thanks for the amazing article, I am getting an error:

info: HttpsConnectionAdapter[1]
Failed to authenticate HTTPS connection.
System.IO.IOException: The handshake failed due to an unexpected packet format.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)

when i try to access the identity server webpage. Have you seen this before?

[MV10]

Migrated comment by koo9 on 2019-04-27 2:51:26 PM

does this work with IIS deployment on localhost?

[MV10]

Migrated comment by MV10 on 2019-04-27 3:16:54 PM

If you mean in-proc, I can't say, I haven't tried it that way.

[MV10]

Migrated comment by Lucas on 2019-12-18 8:02:56 AM

Hi Jon. Thanks for the article.

Is it a good practice to read the certificate's thumbprint from a config file (eg appsettings.json) so it can be re-generated without the need of changing C# code?

Thanks in advance.

[MV10]

Migrated comment by MV10 on 2019-12-18 11:02:57 AM

Hi Lucas. Yes, that would be acceptable. The thumbprint isn't considered sensitive information.