Share via

Azure AD Application Proxy: Certificate by the backend server is sometimes not valid (Event 13001)

Tortigar 1 Reputation point
2022-05-19T09:52:05.817+00:00

Hello,

I can't really figure out the Azure AD Application Proxy.

The following standard scenario: Internally there is a NGINX server (SLES 15 SP3 up to date), which can be accessed via HTTP/S. The website there can be reached internally via any browser using TLSv1.2 and TLSv1.3 without any problems.

This NGINX server is also provided externally via the Azure AD Application Proxy Connector (Windows Server 2019 up to date, connector is also patched, .NET Framework 4.7.2). In principle, this works so far, BUT sometimes (every minute or so after a few refreshes), the following error message appears:

One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.
For more details, check the Application Proxy Connector Event Log for reported errors.

In the mentioned event log from Azure AD Application Proxy Connector, the information is not more helpful.

The SSL server certificate presented to Microsoft AAD Application Proxy Connector by the backend server is not valid; the certificate is not trusted.

I think the error message is not quite right here. The connection does work, which means that the certificate is trusted. Just not always. My suspicion is that it might have something to do with the TLS cipher suites. I've already tested different cipher suite constellations in NGINX. This makes the error message appear more or less often. For example, when I adopt NGINX's default for ssl_ciphers, I only get this error message.

At the moment I use the following TLS configuration in NGINX. This is the only one that allows the page load halfway often.

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_dhparam dhparam.pem;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;

By the way, I can probably reproduce the error with Invoke-WebRequest in PowerShell. Again, sometimes an error message comes, but not always.

Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At line:1 char:1

  • Invoke-WebRequest -Uri https://abc.example.com
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
    eption
  • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Has anyone gotten something like this to work yet?

Thanks and best regards.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2022-05-30T18:57:28.867+00:00

    Hello @Tortigar ,

    Thanks for reaching out and apologies for the delayed response.

    This occurs when the Azure AD Application Proxy connector can establish a TCP connection to the backend server's IP address (based on the hostname in the internal URL - for example, https://app1.contoso.com/ - hostname stated in bold), but it is unable to negotiate an SSL session.

    These are the most common root causes of this problem.

    • Network problem - Incorrect TLS protocol setup (protocol, cipher suite, algorithm, there are further settings)
    • No certificate or an invalid certificate is bound on the backend server
    • The connector server is unable to validate the server's SSL certificate (name mismatch, expired certificate etc.)

    In this scenario, the "Azure AD Application Proxy Connector Event Logs" provide more info regarding Bad Gateway difficulties (such as Secure Sockets Layer (SSL)) failures, and example Admin logs are provided below for your reference.

    206778-image.png
    206805-image.png

    To answer your question related with cipher suite, you can use following site https://www.ssllabs.com/ssltest/analyze.html? to validate list of suites in server-preferred order and make sure you have them configured in your NGINX server and below is for your reference.

    206824-image.png

    If none of these work, I would recommend you to reach out to Azure support because this would require a more extensive investigation. If you do not have a support plan, please send an email with the subject line “Attn: SivaKumarS” to AzCommunity[at]Microsoft[dot]com referencing this article and your subscription id, and we will help you get one-time free technical support.

    Hope it helps!!!

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.