Azure AD Application Proxy Connector - SSL Errors

Question

Hello,

I am trying to connect to a on-premise app via the Azure AD Application Proxy. In browser I have this error:

Below is the error from the connector logs:

The SSL server certificate presented to Microsoft AAD Application Proxy Connector by the backend server is not valid; the certificate is not trusted.
Details:
Transaction ID: {c971facf-4b32-8449-36b7a9bb4699}
Session ID: {c971facf-0839-4b32-36b7a9bb4699}
Published Application Name:
Published Application ID:
Published Application External URL: https://ab.domain.com
Published Backend URL: https://ab1.domain.com/
User: someone@keyman .com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Device ID: <Not Applicable>
Token State: NotFound
Cookie State: NotFound
Client Request URL: https://ab.domain.com/
Backend Request URL: https://ab1.domain.com/
Preauthentication Flow: PassThrough
Backend Server Authentication Mode: PassThrough
State Machine State: BERequestWriting
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: GET
Client Request Http Verb: GET

The certificate installed on the backend server ( nginx with Comodo Multi-Domain + Wildcard SAN certificate ) is valid and has the SANs declared as specified in https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-custom-domain ( Certificate formats section )

Subject Name
Common Name domain.com

DNS NAME domain.com
DNS NAME **.ab.domain.com*
DNS NAME ab.domain.com

App Proxy Config:

On the Connector machine, a DNS record in hosts file points the Application Internal URL to the public IP of the application. There are no connectivity issues between the connector and the backend server.

If I access directly (bypass AzureAppProxy) the backend server there are no SSL certificate errors in browser. The nginx server has the private key used to generate the CSR and the PEM (chain) keys configured.

The pfx certificate uploaded in Azure AD App Proxy was generated with openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.pem

I am not sure if there is actually an issue with the certificate or a misconfiguration on the nginx server.

Any tips on how to investigate this further are welcome.

Thank you

Answer 1

I am happy to report that everithing works as expected.

Initially I tried to use the same Internal and External URLs but I was getting "The service detected a possible loop" message and I went with the above setup with different URLs.

The loop was happening because I didn't have the correct DNS entry on the connector machine !!!

Now I've set the same Internal & External URL and added the correct DNS record on the Connector, pointing to the public IP of the application.

Public IP ab.domain.com

Thank you for the support and hopefully this will be useful for other people with a similar network topology.

Regards,
Claudiu D.

Answer 2

Hello @Claudiu D ,

Thanks for reaching out.

You would see these error when the Azure AD Application Proxy connector can establish a TCP connection towards the backend server's IP address (based on the hostname in the internal URL - example: ab1.domain.com), but it cannot negotiate the SSL session.

Looking at above statement, you mentioned that on connector machine a DNS record in hosts file points the Application Internal URL to the public IP of the application but ideally it suppose to point to private IP address since connector is part of same network locally so could you please verify and validate that?

If you have created this application recently on Azure AD App proxy then connector agent on machine validate the SSL certificate of the backend server by default.

Typical root causes would be:

• The connector server cannot validate the SSL certificate of the server (name mismatch, expired certificate etc.)
• Network issue
• TLS protocol configuration mismatch (protocol, chipher suite, algorithm, there are further settings) (TLS 1.2 required for all connections)
• Listener issue (no certificate or invalid certificate is bound)

The events in the admin log 13001 / 13002 / 13004 / 13005 gives you a hint about the problem.

Another approach is to start Internet Explorer on the connector server. Add the internal URL to the address bar and try to access it. Probably you'll receive a certificate related error message that can help to start the troubleshooting. This step must be done on all connector servers.

In case the "connector" and the web app are hosted on different servers (the web app is hosted on a non-Windows-based server) or there is a device between the "connector" and the "web app" that terminates the SSL connection , because TLS termination is not supported scenario with Azure AD Proxy so try bypass that device and check the behavior?

https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-faq#is-tls-termination--tls-https-inspection-or-acceleration--on-traffic-from-the-connector-servers-to-azure-supported-

You may get more insight to this issue when you collect Network trace and SCHANNEL logs on connector servers. Hope this helps.

Regards,
Siva Kumar Selvaraj
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Hi @sikumars-msft,

Thank you for your respone.

The web app is hosted on docker containers, outside the connector local network. The connector can establish communication with the web app only via the public IP.

Access to the web app will be allowed only from connector's IP. At the moment I can access the domain ab.domain.com directly with no issues. Isn't this scenario supported ?

If I access the Internal URL ab1.domain.com from the connector machine, I get a certificate error as it doesn't match the domain ab1.domain.com. "Accept risk and continue" in browser and I can access the application.

Screenshot from connector machine:

I removed any proxy/load balancer between the connector and the web app ( nginx server ). The traffic on ports 80 and 443 is forwarded with iptables straight to the nginx container.

I've scanned ab.domian.com on sslabs and TLS v1.2 is supported + below cyphers:

The problem seems to be with the certificate presented to App Connector by nginx. ( Event 13001 )

The files/certificates recieved from Comodo are the ones below:

510739237repl_1.crt
AAACertificateServices.crt
SectigoRSADomainValidationSecureServerCA.crt
USERTrustRSAAAACA.crt

I've created the certificate for nginx with cat 510739237repl_1.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt > mycert.pem
I have tried using only 510739237repl_1.crt as well.

In nginx config file I have the following directives:

ssl_certificate mycert.pem;
ssl_certificate_key private.key; ( private key used to generate the CSR )

Generate the pfx certificate required in Azure AD App Proxy:
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in mycert.pem

I have tried a self-signed certificate and the result is the same - ( Event 13001 )

Do I need to have the certificates and/or the private key uploaded on the connector machine ? Or maybe what I'm trying to achieve is not possible because the connector is not on the same network with the web app ?

Many thanks

Claudiu D.

Answer 4

I have just noticed that when I connect to the External URL ( via App Proxy ) from the connector machine the encryption is different. See the 2 images below:

Answer 5

Hi @Siva-kumar-selvaraj

My internal server has an invalid SSL certificate that I don't have the access to fix. Is it possible to setup the App Proxy Connector to ignore the SSL error?

Thanks