I received federation metadata endpoint from customer which I used to configure WsFederationAuthentication in identityserver3.
Everything works fine from developer machine like identity server login redirecting to adfs login page, but after deploying the solution into AWS elastic bean stalk (which is in private subnet) then I receive 504 HTTP status code when I try to login through External(ADFS) login.
I simulated this scenario in postman. I receive 302 response in developer machine but the request never ends (postman result pane shows 'Loading...') in AWS ec2 instance.
I am able to browse federation metadata URL and /adfs/ls endpoint from AWS ec2 instance.
In idnetity server log, I can see below logs,
External login requested for provider: adfs
Triggering challenge for external identity provider
HTTP Response
{ "StatusCode": 401, "Headers": { "Content-Type": [ "text/html" ], "Server": [ "Microsoft-IIS/10.0" ], "Content-Length": [ "0" ] }, "Body": "" }
After this, gateway timeout happens (by AWS load balancer).
As per code in Microsoft.Owin.Security.WsFederation.WsFederationAuthenticationHandler.cs, from ApplyResponseChallengeAsync() method, redirect response should generate with location header having adfs login page URL. But, this is not happening.
I see below error in HTTPError.Log.
GET /identity/external?provider=adfs&signin=699036641a8b2b6ddccea61bc8c1f715 -- 1 Connection_Abandoned_By_ReqQueue DefaultAppPool
I do not see any event related to above HTTP error in event viewer log.
I searched for the above error but the solutions did not yield any good results for this issue.
I further investigated with process monitor tool, compared the tcp operations between local and aws ec2 instance for the identityserver external login endpoint request then I found that TCP disconnect operation happening immediately after TCP connect in AWS ec2 instance but in local this was not happening instead TCP communication established and tcp communication went well.
Further investigated with wireshark tool then I found the Handshake failure happening in AWS ec2 instance after Client Hello call. Then I compared TLS version and cipher suites used by local machine (from wireshark log), I found the difference like local machine uses TLS 1.2 and cipher suite : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
and AWS ec2 instance uses TLS 1.0 which is not supproted by ADFS server. Hence the tcp connection could not be established resulting into handshake failure.
I followed this link https://learn.microsoft.com/en-us/officeonlineserver/enable-tls-1-1-and-tls-1-2-support-in-office-online-server#enable-strong-cryptography-in-net-framework-45-or-higher to make .net framewrok to use strong crypto.
After this registry update, successfully able to login from external idp (ADFS) via identity server3 login page.