IDX20804: Unable to retrieve document ASP.net Webforms

I know others have had variations of this problem but none of those posts have helped me solve this.

I first set up a developer account and downloaded a sample webforms project and got that working.
I then took my existing application that was using Redhat for SSO, and updated it to use Okta.

Both projects are using identical configuration.

But when I navigate to my web application I get in the event log:

Exception information:
Exception type: IOException
Exception message: IDX20804: Unable to retrieve document from: ‘https://dev-56733704.okta.com/oauth2/default/.well-known/openid-configuration’.
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.d__8.MoveNext()

In fiddler I can see:
fiddler.network.https> HTTPS handshake to dev-56733704.okta.com (for #1553) failed. System.IO.IOException Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. < An existing connection was forcibly closed by the remote host

But so far I cannot figure out why the connection is being forcibly closed by the host. If I take the document URL from the event log, I can fetch it from any browser.

I added both my app and the example app to trusted origins in case that would help: it didn’t
I added both base URLs + /authorization-code/callback to the sign in redirect fields: it didn’t help either

I’ve read through the guides to see if there is some magic happening in the example app that I just didn’t notice but nothing in the guide seemed new to me.

If the sample app doesn’t have some magic then that probably means there is something in my app causing the issue. But so far I haven’t been able to figure out what.

I did notice that in fiddler that the request for the example app and my app differ some.

My app:
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.1 (TLS/1.0)
Random: 61 67 8C C6 01 78 61 33 1A 95 09 37 9C B5 F4 57 6D 90 BF 9B 5E DB 03 C5 05 D6 2B FD FB F6 38 67
“Time”: 7/22/2075 11:51:13 PM
SessionID: empty
Extensions:
server_name dev-56733704.okta.com
supported_groups x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
SessionTicket empty
extended_master_secret empty
renegotiation_info 00
Ciphers:
[C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[0035] TLS_RSA_WITH_AES_256_CBC_SHA
[002F] TLS_RSA_WITH_AES_128_CBC_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA

Compression:
[00] NO_COMPRESSION

Example App:
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2)
Random: 9B EE 44 8D 5E 72 40 3F BB 5D 0B 7B A7 27 5C 00 44 95 76 6A CB 89 6A 76 BA 77 F9 CA 75 3C B3 3C
“Time”: 2/7/2045 10:29:47 AM
SessionID: F5 E3 27 B4 12 84 C4 03 BE 1B 26 A1 48 6F CB CB 0F A4 1A 84 4F D8 42 B8 72 E9 E2 AC 21 5D 10 4C
Extensions:
server_name dev-56733704.okta.com
extended_master_secret empty
renegotiation_info 00
supported_groups x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19], ffdhe2048 [0x0100], ffdhe3072 [0x0101]
ec_point_formats uncompressed [0x0]
SessionTicket empty
ALPN h2, http/1.1
status_request OCSP - Implicit Responder
0x0022 00 08 04 03 05 03 06 03 02 03
key_share 00 69 00 1D 00 20 BB 20 51 CD 46 04 A2 DB 03 98 05 3B BA 15 53 D4 BB DE 1C D5 F9 53 1D 55 D9 E1 4C B1 88 DC 3D 6C 00 17 00 41 04 46 58 8C 01 FC 3F 4D 92 6D 60 CA 26 A4 EB 45 D8 E9 3B 19 CC C3 15 BE 54 79 1E 57 79 90 3E DC 3C 48 01 45 C6 90 1A 42 E4 5D 38 DF C7 A9 57 0D AE 14 3D 3F 74 51 A3 EF 93 21 74 3D 04 98 AA 1F 95
supported_versions Tls1.3
signature_algs ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1
psk_key_exchange_modes 01 01
0x001c 40 01
padding 129 null bytes
Ciphers:
[1301] TLS_AES_128_GCM_SHA256
[1303] TLS_CHACHA20_POLY1305_SHA256
[1302] TLS_AES_256_GCM_SHA384
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[002F] TLS_RSA_WITH_AES_128_CBC_SHA
[0035] TLS_RSA_WITH_AES_256_CBC_SHA

Compression:
[00] NO_COMPRESSION


Any ideas? I have been trying to get this running for several days now.

Thank you,
Gary

I believe Okta only supports TLS 1.2.
https://support.okta.com/help/s/article/Migrating-to-TLS-1-2

Perhaps you can try if this line of code will allow your app to use TLS 1.2?
// Enable TLS 1.2 ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.