500.79 Internal Server Error

I got this exception when I was trying to configure the Azure Active Directory authentication in Advance management mode for an Azure App Service.  Basically, I was following the (Alternative Method) instructions described here.  After following all the instructions, I was getting this exception, as shown in Figure 1.

The page cannot be displayed because an internal server error has occurred.

image

Figure 1, 500 79 internal server error

I enabled Failed request tracing logs as shown in Figure 2.

image

Figure 2, 500 79 internal server error, enabled failed request tracing

I reproduced the issue, the log was created in the /LogFile/W3SVC######### directory on my App Service.  I opened one of them, Figure 3, and found the 500.79 error.  However, it did not show exactly what was going on, but at least I had something to go with.

image

Figure 3, 500 79 internal server error, failed request trace log

InternalModuleFailure = 79 and is an exception which is being thrown by the module.

What I needed was the stack exception of the 500.  I expected it to be in the eventlog.xml file, but did not find anything that lead me to the reason of the 500.79.  I looked in KUDU for the eventlog.xml file which I discuss here and is shown in Figure 4.

image

Figure 4, 500 79 internal server error, eventlog.xml 500.79

Then I though I would do some real-time log streaming from within the portal.  You need to login to the Azure Management portal and navigate to the App Service blade which is rendering the exception.  Scroll down, as seen in Figure 5 and click on the Log stream link which will enable the real-time logging.  When I reproduced the error, I saw the exception, the stack and the stack exception, FIgure 5 which I was then able to push forward with and resolve the issue.

image

Figure 5, 500 79 internal server error, eventlog.xml 500.79

The issue was that the certificate being returned from the server ‘https://sts.######’ did not include the Service Name of for that host and because of that the handshake could not be made.  I entered that URL ‘https://sts.######’ into Chrome and then looked the certificate, which is where I noticed the certificate was not correct.  Since that host name was pointing to the same server/IP (I looked us up using NSLOOKUP) I simply replaced the broken URL with one of the URLs that was included in the certificate and it worked.  Of course it is possible that the hostnames direct to a different site on the host and this won’t work in that case, but in my case it did and it just turned out I was using the wrong endpoint.

Here is the full exception.

Error       Failed to download OpenID configuration from ‘https://sts.********.***/########-####-####-####-########0727/.well-known/openid-configuration’: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Critical    System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)

   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)

   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)

   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)

   at System.Net.ConnectStream.WriteHeaders(Boolean async)

   — End of inner exception stack trace —

   at System.Net.HttpWebRequest.GetResponse()

   at Microsoft.Azure.AppService.Authentication.OpenIdConnectConfiguration.Download(String url)

   at Microsoft.Azure.AppService.Authentication.OpenIdConnectConfiguration.ConfigManager.RefreshConfiguration()

   at Microsoft.Azure.AppService.Authentication.OpenIdConnectConfiguration.ConfigManager.GetCurrentConfiguration()

   at Microsoft.Azure.AppService.Authentication.AzureActiveDirectoryProvider.GetLoginRedirectUrlAsync(HttpContextBase context, String callbackUrl, String postLoginRedirectUrl, NameValueCollection oauthState, String nonce)

   at Microsoft.Azure.AppService.Authentication.IdentityProviderBase.<RedirectToLoginPageAsync>d__6.MoveNext()

— End of stack trace from previous location where exception was thrown —

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Azure.AppService.Authentication.EasyAuthModule.<AuthenticateAsync>d__34.MoveNext()

— End of stack trace from previous location where exception was thrown —

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Azure.AppService.Authentication.EasyAuthModule.<OnAuthenticateRequestAsync>d__e.MoveNext()

— End of stack trace from previous location where exception was thrown —

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.Azure.AppService.Authentication.HttpModuleDispatcher.<DispatchAsync>d__13.MoveNext()