Recently we have run into some problem with our Web App integration with Azure AD B2C using Graph API.
We believe the problem has something to do with the SSL/TLS certificate on one or more of Azure AD Graph API endpoint (on https://login.microsoftonline.com)
The problem seems to start in early July (seems like to align with the SSL3 obsolete timeline of June 30, 2018).
Before hand, our code works fine with integration with Azure AD B2C over Graph API using the Azure Active Directory Authentication Library (ADAL) .net.
Now, it seems like there are some random issue with the ADAL authentication context’s AcquireTokenAsync() call to throw the following exception:
2018-07-24T13:08:44 PID[6124] Information RemoteCertificateValidationCallback(F3B414056D8FB86D98FB6F282D8F451F0A87BA40, None)
2018-07-24T13:08:44 PID[6124] Error AzureADRequest Error: System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An
error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper.<GetResponseAsync>d__31.MoveNext()
The issue doesn’t happen all the time. It can be working fine for a while then it doesn’t work for maybe 15-30 min, then after restarting the web app there’s a chance that it’s back to normal for a while.
It seems like the one (or more) authentication servers on login.microsoftonline.com has a bad SSL/TLS certificate.
According to diagnostics trace, It seems like the failing certificate have the thumbprint of F3B414056D8FB86D98FB6F282D8F451F0A87BA40.
When the integration is working, we got the following log
2018-07-20T18:05:02 PID[6124] Information RemoteCertificateValidationCallback(D4444B60F628539C586F1AACE0AAA71F7AD8F726, None)
So it seems like that the Azure site can trust one certificate (D4444B60F628539C586F1AACE0AAA71F7AD8F726) from Azure AD but not the other (F3B414056D8FB86D98FB6F282D8F451F0A87BA40).
Furthermore, when we try to connect using our local dev environment, using either a console app test or unit test, we can get the token properly all the time. So we are not sure whether this is related to either Azure App Service or specific Data Center/Location,
etc.
We also tried to override the ServerCertificateValidationCallback by attaching to ServicePointManager.ServerCertificateValidationCallback, but it's never being called. (seems like the ADAL library is doing its own thing.)
Any help would be appreciated!