For the past 5 years I'm using Azure IoT remote monitoring solution and using the Azure AD authentication for securing the application and APIs, from last Saturday I'm getting the error below while sign in (yellow screen):

IDX10803: Unable to create to obtain configuration from: 'https://login.microsoftonline.com/{Tenant-ID}/.well-known/openid-configuration'.

This is my authentication related startup code:

public void ConfigureAuth(IAppBuilder app, IConfigurationProvider configProvider)
    {
        string aadClientId = configProvider.GetConfigurationSettingValue("ida.AADClientId");
        string aadInstance = configProvider.GetConfigurationSettingValue("ida.AADInstance");
        string aadTenant = configProvider.GetConfigurationSettingValue("ida.AADTenant");
        string authority = string.Format(CultureInfo.InvariantCulture, aadInstance, aadTenant);

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());


        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true, ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] }
            });


        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = aadClientId,
                Authority = authority,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = false
                },
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    RedirectToIdentityProvider = (context) =>
                    {
                        string appBaseUrl = context.Request.Uri.Scheme   "://"   context.Request.Uri.Authority   "/";
                        context.ProtocolMessage.RedirectUri = appBaseUrl;
                        context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
                        return Task.FromResult(0);
                    },
                    AuthenticationFailed = context =>
                    {
                        string appBaseUrl = context.Request.Scheme   "://"   context.Request.Host   context.Request.PathBase;

                        context.ProtocolMessage.RedirectUri = appBaseUrl   "/";
                        context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
                        context.HandleResponse();
                        context.Response.Redirect(context.ProtocolMessage.RedirectUri);

                        return Task.FromResult(0);
                    }
                }
            });
    }

I'm using azure app service for hosting my web application, it is built on .NET framework 4.6. I changed my web app's minimum TLS version to 1.2 from 1.0.

I can see lot of question related this but couldn't find a proper answer for this, that's why I'm posting this. If more information required I can provide. Thanks

Edit: My web application is not having an SSL certificate, due to certain reasons we can't use it.

CodePudding user response：

Resolved my issue. In my case, the OWIN packages were defaulting to using TLS 1.1 when loading that metadata. Apparently they're rolling out the full deprecation of those SSL certificates right now, hence the breakage over the weekend. To resolve, I added the following in Global.asax.cs:

protected void Application_Start()
{
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3; // only allow TLSV1.2 and SSL3

    //The rest of your startup code goes here
}

This forces any calls that occur within the OpenConnect process to use TLS 1.2 or above and will allow the openid-configuration to be obtained.