SSL Error on Android when connecting to ADFS

[leonluc-dev]

Which Version of ADAL are you using ?
ADAL 4.5.1

Which platform has the issue?
Xamarin.Android

Is this a new or existing app?
The app has been in production for a while.

Description
When requesting a new token using the AcquireTokenAsync method for one of our customers utilizing ADFS (Windows Server 2016), the login flow seems to work fine on iOS. However, about four out of six login attempts on Android we get an SSL related exception. Turning on logging reveals that this seems to be related to a certificate issue.

While we can't figure it what the exact issue is we did manage to figure out where the issue occurs. The oauth2/authorize endpoint loaded in the webui is handled fine and seems to properly return a authorization code. The oauth2/token endpoint seems to be called using a HttpClient instance (as opposed to a web browser component) which seems to be causing this error.

Since this error occurs with only one customer, it seems their ADFS server configuration might be incomplete. But I am wondering what kind of configuration error would only cause certificate issues in a HttpClient instance run on Android but not in a Android webview,

I have attached the logs of the full exception.
Is there any known cause for this issue?

On a side and maybe not unrelated note, while my app is configured to utilize the AndroidClientHandler at runtime for any constructed HttpClient, it seems any HttpClient created by the Adal library utilizes the default HttpClientHandler.

Additional logs
(Omitting any PII)

System.Net.Http.HttpRequestException: An error occurred while sending the request ---> System.Net.WebException: Error: TrustFailure (A call to SSPI failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /Users/builder/jenkins/workspace/xamarin-android-d15-9/xamarin-android/external/mono/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status) [0x0003e] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
  at Mono.Net.Security.AsyncProtocolRequest+<ProcessOperation>d__24.MoveNext () [0x000ff] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Mono.Net.Security.AsyncProtocolRequest+<StartOperation>d__23.MoveNext () [0x0008b] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream+<ProcessAuthentication>d__47.MoveNext () [0x00254] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Mono.Net.Security.MonoTlsStream+<CreateStream>d__17.MoveNext () [0x00126] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.WebConnection+<CreateStream>d__18.MoveNext () [0x001ba] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
   --- End of inner exception stack trace ---
  at System.Net.WebConnection+<CreateStream>d__18.MoveNext () [0x0021a] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.WebConnection+<InitConnection>d__19.MoveNext () [0x00141] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.WebOperation+<Run>d__57.MoveNext () [0x0009a] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.WebCompletionSource`1+<WaitForCompletion>d__15[T].MoveNext () [0x00094] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.HttpWebRequest+<RunWithTimeoutWorker>d__241`1[T].MoveNext () [0x000f8] in <fb6d78e506844b3b96d5b35aa047fbbd>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.Http.HttpClientHandler+<SendAsync>d__64.MoveNext () [0x002e7] in <25ebe1083eaf4329b5adfdd5bbb7aa57>:0 
   --- End of inner exception stack trace ---
  at System.Net.Http.HttpClientHandler+<SendAsync>d__64.MoveNext () [0x00478] in <25ebe1083eaf4329b5adfdd5bbb7aa57>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Net.Http.HttpClient+<SendAsyncWorker>d__49.MoveNext () [0x000ca] in <25ebe1083eaf4329b5adfdd5bbb7aa57>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper+<GetResponseAsync>d__28.MoveNext () [0x0025c] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient+<GetResponseAsync>d__23`1[T].MoveNext () [0x0010e] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient+<GetResponseAsync>d__22`1[T].MoveNext () [0x0006d] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase+<SendHttpMessageAsync>d__73.MoveNext () [0x0009e] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase+<SendTokenRequestAsync>d__70.MoveNext () [0x00099] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase+<CheckAndAcquireTokenUsingBrokerAsync>d__60.MoveNext () [0x0013a] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase+<RunAsync>d__58.MoveNext () [0x00705] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenCommonAsync>d__40.MoveNext () [0x000d7] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenAsync>d__30.MoveNext () [0x0008b] in <7f8c9e06869941238a2e5fce549c7df1>:0 
--- End of stack trace from previous location where exception was thrown ---
  at AdfsDebugApp.AndroidApp.MainActivity+<GetNewAdfsToken>d__13.MoveNext () [0x0005a] in <OMITTED> 

[jennyf19]

@gameleon-dev Could you try our latest release 5.0.2-preview and see if it resolves the issue for you? We fixed some httpclient issues in 5.0.1-preview.

[leonluc-dev]

The issue has been located. As it turns out the customer had a SSL certificate chain misconfiguration on their ADFS server (missing intermediates for one of the installed SSL certificates) which the Android webview (utilized for the oauth2/authorize endpoint) could handle, but BoringSSL/AndroidClientHandler (utilized by HttpClient on Xamarin.Android for the oauth2/token endpoint) could not.

Since it turned out to be unrelated, I've filed a seperate issue for the Xamarin HttpClient settings being ignored, even after updating to 5.0.2-preview. (#1575)