IDX10803: Unable to create to obtain configuration

41,663

Solution 1

Another developer on the team helped find the issue. The Windows Authentication host running at port 44305 had anonymous disabled. When this was enabled, the redirected process began to work again.

Regrettably, we didn't actually detect the error, but, through trial & error (hacking) it was fixed. My main question was how do I debug an OWIN app so I could actually see the HTTP 500's details. I wish the IdentityServer3 logs could have recorded the response from the Win Auth host. Also why isn't that a 401 response code?

Solution 2

I had the same problem - it seems that the SSL cert was untrusted. To resolve this I moved the "localhost" IIS Express Cert from the Personal CertStore to the Trusted Root Certification Authorities and the issue was gone.

Cert

Solution 3

I had this problem, and needed to trust the certificate as per Robert Muehsig answer.

But this on its own wasn't enough. I'm using Bearer Token Authentication. A bit of further digging revealed that I needed to set the DelayLoadMetadata flag to true.

So in my Web API startup:

app.UseIdentityServerBearerTokenAuthentication(
    new IdentityServerBearerTokenAuthenticationOptions
{
    DelayLoadMetadata=true
});

After this and the certificate trust change it started working. I know this isn't the same config as the original problem, but during my searching I kept coming across this post so thought I'd put this here for anyone else who stumbles across it...

Solution 4

From my memory, this error is thrown mostly due to the certificate trust / network access issue. Since you are running all the components in local host, it is definitely not a network issue. I assume you are running from VS Dev environment.

Couple of things:

  • Try hosting the components in the IIS server
  • Instead of using localhost, create a self-signed certificate for your host and try assigning your hostname as the subject name (Please note - idsrv3test certificate for signing and self-signed certificate for host SSL)

Also, Assign permissions to read the certificate as described here https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Certificates

If you still face this issue, try monitoring the traffic via Wireshark (Fiddler won't work in this case )

Solution 5

For testing purposes, I added the below block as the first piece of middleware in my pipeline. This will actually log the exception whenever one occurs. This lead me to see that my 500 actually was a 401.

        appBuilder.Use(async (context, next) =>
        {
            try
            {
                await next();
            }
            catch(Exception ex)
            {
                Log.Error(ex, "OWIN error.");
            }

        });
Share:
41,663
MADCookie
Author by

MADCookie

There is nothing wrong with being lazy when it shows its self as efficiently using your time and tools to produce a product acceptable to yourself and your team.

Updated on July 27, 2022

Comments

  • MADCookie
    MADCookie over 1 year

    My configuration has 3 sites: Identity Server (Idp), Windows Authentication host and my end-user client site. On the client site, I request a controller decorated with [Authorize] and Identity Server kicks in.

    The windows host at port 44305 is apparently throwing an exception and the identity server is receiving a status 500. I can access the windows host site URL without any problem. I get back an XML document

    How do I debug and find out what that exception or error is that is stopping this authentication process? I get a 3 part exception with the inner most as the following

    InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://localhost:44305/'.
    
    Microsoft.IdentityModel.Protocols.ConfigurationManager`1.<GetConfigurationAsync>d__3.MoveNext() in ConfigurationManager.cs
    

    The Windows Host OWIN startup is using UseWindowsAuthenticationService

    The Identity Server OWIN is using AuthenticationOptions = WsFederationAuthenticationOptions

    var wsFederationOptions = new WsFederationAuthenticationOptions
                {
                    AuthenticationType = "windows",
                    Caption = "Windows",
                    SignInAsAuthenticationType = signInAsType,
                    MetadataAddress = "https://localhost:44305/",
                    Wtrealm = "urn:idsrv3"
                };
                app.UseWsFederationAuthentication(wsFederationOptions);
            }
    

    Here are the requests and responses

    Request URL:https://localhost:44315/
    Request Method:GET
    Status Code:302 Found
    Response:Location:https://localhost:16433/connect/authorize?client_id=hms2015&redirect_uri=...
    
    Request: https://localhost:16433/connect/authorize?client_id=hms2015&redirect_uri=...
    Request Method:GET
    Status Code:302 Found
    Location:https://localhost:16433/login?signin=fde7508a6634698847c3076c9028604b
    
    Request URL:https://localhost:16433/login?signin=fde7508a6634698847c3076c9028604b
    Request Method:GET
    Status Code:500 Internal Server Error
    

    I have no visible SSL issues. With my browser, I can open all the pages from the different sites without any warning. I add my localhost IIS Express cert to the Trusted Root Cert.