Recently our support team has seen quite a few cases where customer applications have been working for years and recently started failing with one of the following error messages:. These errors are often seen in applications targeting an old version of .Net Framework.
AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD
IDX20804: Unable to retrieve document from: ‘[PII is hidden]’
IDX20803: Unable to obtain configuration from: ‘[PII is hidden]’
IDX10803: Unable to create to obtain configuration from: ‘https://login.microsoftonline.com/{Tenant-ID}/.well-known/openid-configuration’
IDX20807: Unable to retrieve document from: ‘System.String’
System.Net.Http.Headers.HttpResponseHeaders RequestMessage {Method: POST, RequestUri: ‘https://xxx.b2clogin.com/xxx.onmicrosoft.com/B2C_1_xxx_Signin/oauth2/v2.0/token’, Version: 1.1, Content: System.Net.Http.FormUrlEncodedContent, Headers: { Content-Type: application/x-www-form-urlencoded Content-Length: 970 }} System.Net.Http.HttpRequestMessage StatusCode UpgradeRequired This service requires use of the TLS-1.2 protocol
What’s going on?
For security and industry standards compliance reasons, starting from January 31st, 2022 Microsoft started enforcing client applications connecting to various Azure AD services on Microsoft Identity Platform (aka Azure AD) used TLS 1.2 secure protocol. You can read more about this change here and here. Applications running on older platforms and/or older version of the .Net framework may not have TLS 1.2 enabled, therefore fails to retrieve the OpenID Connect metadata document resulting in failed authentication.
Resolution:
To enable TLS 1.2 support, you can try the following:
- Upgrade the applications to use .Net Framework 4.7 or later where TLS 1.2 is enabled by default
- Make the following code change to the application should the .Net Framework upgrade may not be feasible (courtesy of Brent on this StackOverflow post):
Option 1
You can add the following in Global.asax.cs:
using System.Net;
.
.
protected void Application_Start()
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3; // only allow TLSV1.2 and SSL3
//The rest of your startup code goes here
}
Option 2
There's another method as well using web.config that doesn't involve code changes. If .NET 4.7.2 is available (which it is on Azure), you can add the following:
<system.web>
<httpRuntime targetFramework="4.7.2" />
</system.web>
This may not work if using the 4.7.2 runtime causes breaking changes to your app. It doesn't require updating the compilation version and in the scenarios I tested it caused no issues.
If you are getting the above AADSTS error from running the PowerShell commandlets Connect-MSolService, Connect-AzureAD, or Connect-MSGraph (from the Microsoft Intune PowerShell SDK module) you can try the following to set TLS 1.2 version before calling any of those Connect commands:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Connect-MSolService