Startup Error IDX20807: Unable to retrieve document from: 'System.String' / TLS 1.2

[BHolthuijsen]

I think this issue is related to #108

When I first tried running the demo a month ago all worked well. I made a few modifications and saved the project to our source control. Last week, I retrieved it again and got the following error during startup:

Server Error in '/' Application.
IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.

Source Error:
Line 79:             try
Line 80:             {
Line 81:                 OpenIdConnectConfiguration config = Task.Run(_configManager.GetConfigurationAsync).Result;
Line 82:                 _issuer = config.Issuer;
Line 83:                 _keys = config.SigningKeys;

Source File: C:\Temp\Repos\active-directory-b2c-dotnet-webapp-and-webapi\TaskService\App_Start\OpenIdConnectCachingSecurityTokenProvider.cs    Line: 81

Stack Trace:
[IOException: IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.]
   Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__20.MoveNext() +1159
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.IdentityModel.Protocols.OpenIdConnect.<GetAsync>d__3.MoveNext() +391
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__12.MoveNext() +958

[InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.]
   Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__12.MoveNext() +1739
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__11.MoveNext() +314

This was during the startup of the "TaskService" project, but a similar error occurs when running the "TaskWebApp" and choosing "Sign up / Sign in".

I was rather puzzled that the project stopped working, I successfully ran it a month ago.

To try to solve this, I updated a few of the NuGet packages. This gave me a more informative error:

[IOException: IDX20807: Unable to retrieve document from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. HttpResponseMessage: '[PII of type 'System.Net.Http.HttpResponseMessage' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]', HttpResponseMessage.Content: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.]
   Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__22.MoveNext() +1112
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.IdentityModel.Protocols.OpenIdConnect.<GetAsync>d__3.MoveNext() +391
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__18.MoveNext() +1052

[InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://xxx.b2clogin.com/tfp/xxx.onmicrosoft.com/b2c_1_signin/v2.0/.well-known/openid-configuration'. Will retry at '31-05-23 13:46:42 +00:00'. Exception: 'System.IO.IOException: IDX20807: Unable to retrieve document from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. HttpResponseMessage: '[PII of type 'System.Net.Http.HttpResponseMessage' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]', HttpResponseMessage.Content: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.<GetDocumentAsync>d__22.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.<GetAsync>d__3.MoveNext()

After adding IdentityModelEventSource.ShowPII = true;, I got the real error:

[IOException: IDX20807: Unable to retrieve document from: 'https://xxx.b2clogin.com/tfp/xxx.onmicrosoft.com/b2c_1_signin/v2.0/.well-known/openid-configuration'. HttpResponseMessage: 'StatusCode: 426, ReasonPhrase: 'InvalidRequest', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
  client-request-id: 941fbdda-6e4c-4f37-971b-8b70b3a54903
  Date: Wed, 31 May 2023 13:52:11 GMT
  Content-Length: 49
  Content-Type: html/text
}', HttpResponseMessage.Content: 'This service requires use of the TLS-1.2 protocol'.]
   Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__22.MoveNext() +1112
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.IdentityModel.Protocols.OpenIdConnect.<GetAsync>d__3.MoveNext() +391
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__18.MoveNext() +1052

It seems that TLS 1.2 is now required in Azure when retrieving the configuration. This has probably changed since my initial project check-in, causing the sudden error.

There are a few ways to fix this. See the recommendations here:
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

One way is to change the Registry setting as described in the article. This would fix the problem on my system without having to change the project, but other users of this demo solution would still get the error.

Another way could be to set the SecurityProtocol to include TLS 1.2
System.Net.ServicePointManager.SecurityProtocol |= System.Net.SecurityProtocolType.Tls12;

This was initially implemented in the project and reverted in #110

Finally, a potential fix is to change the httpRuntime in Web.config.

Currently, both files contain:

  <system.web>
    <compilation debug="true" targetFramework="4.8" />
    <httpRuntime targetFramework="4.5" />
  </system.web>

Changing the httpRuntime to 4.8 solves the problem for me.

  <system.web>
    <compilation debug="true" targetFramework="4.8" />
    <httpRuntime targetFramework="4.8" />
  </system.web>

I'm not sure what the original purpose of the 4.5 setting is. Is it deliberate, or was it somehow forgotten during the updated to .NET 4.8?

[bgavrilMS]

Modern versions of .NET use the recommended TLS by default. This is the best path forward - upgrade to latest .NET Fwk, i.e. .NET 4.8

I'm closing this as it's not a sample issue.

[BHolthuijsen]

I certainly agree that updating to the latest framework is the best solution. Shouldn't the following lines be changed in the sample project?

https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi/blob/77039fdd75e6b88fc4fbfb1bf49e21b499257f7d/TaskService/Web.config#L33C9-L33C9

and

https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi/blob/77039fdd75e6b88fc4fbfb1bf49e21b499257f7d/TaskWebApp/Web.config#L42C3-L42C3

They still refer to 4.5.