The Problem

I suddenly started getting unexpected 401 errors when debugging a website backed with ASP.NET WebAPI2 (auth via IdentityServer3, using IIS Express 10 and Visual Studio 2015). Also, the web browser was rejecting the certificate (NET::ERR_CERT_AUTHORITY_INVALID in Chrome, I just clicked through the warnings to get to the site).

I verified that the sign-in request went through as it was supposed to, the authentication token was received and the calls were being made with the correct headers in place. I then proceeded to google for solutions to the symptoms and tried a bunch before finding the correct solution.

The Cause

After digging through the code (this happened in conjunction with a wide-spread refactoring) and trying the wrong solutinos, I finally tested with an earlier version and found out that the problem was with the development environment instead of the code. The IIS Express Development Certificate setup was somehow gotten “dislodged” and was no longer trusted in my environment. I suspect a Windows, Visual Studio or IIS Express update process or installation of some visual studio extensions.

While the browser certificate error can be overcome by simply ignoring the browser warnings, apparently IdentityServer3 and/or WebAPI2 authentication middleware also verifies the server certificate at some point during token validation, hence the 401 errors.

The Solution

Normally, visual studio prompts the developer to trust the IIS Express certificate when debugging an https-enabled project for the first time, like seen in this example: http://www.c-sharpcorner.com/UploadFile/4b0136/a/. However, it seems that Visual Studio does not check that the certificate is actually being trusted. Perhaps there’s a flag somewhere telling Visual Studio that the trust has been established at some point in history.

Therefore, you must trust the certificate manually, making sure that “IIS Express Development Certificate” (issued to localhost) exists in both the “Personal/Certificates” and the “Trusted Root Certification Authorities” containers.

Regenerating the Certificate

You may have to regenerate the development certificate. The easiest way is to repair or reinstall IIS Express, which regenerates the certificate and assigns it to all of the the HTTPS ports used by IIS Express (44300-44399). NOTE: in Windows 10 the Repair option is not available in the “Add or Remove Programs” view, you have to go in through the Control Panel.

Alternatively, you can get your hands dirty with manual certificate creation and using the netsh http or C:\Program Files (x86)\IIS Express\IisExpressAdminCmd commands.

• cd C:\Program Files (x86)\IIS Express
• IisExpressAdminCmd.exe setupsslUrl -url:https://localhost:<port_in_range_44300_to_44399>/ -UseSelfSigned

Here’s a few netsh commands for your pleasure:

• List assignments: netsh http show sslcert [ipport=0.0.0.0:<port_in_range_44300_to_44399>]
• Deassign cert from single port: netsh http delete sslcert [ipport=0.0.0.0:<port_in_range_44300_to_44399>]
• Assign cert to a single port: netsh http add sslcert ipport=0.0.0.0:<port_in_range_44300_to_44399> certhash=<cert_thumbprint_with_no_spaces> appid= {<some_generated_guid>}
• Clear certs from all IIS Express HTTPS ports: FOR /L %i IN (44300,1,44399) DO netsh http delete sslcert ipport=0.0.0.0:%i
• Assign cert for all IIS Express HTTPS ports: FOR /L %i IN (44300,1,44399) DO netsh http add sslcert ipport=0.0.0.0:<port_in_range_44300_to_44399> certhash=<cert_thumbprint_with_no_spaces> appid= {<some_generated_guid>}

Source: http://stackoverflow.com/questions/20036984/how-do-i-fix-a-missing-iis-express-ssl-certificate.

Trusting the Certificate

The easiest way to accomplish this is to browse to the site with Internet Explorer and installing the certificate from there. Instructions: https://blogs.msdn.microsoft.com/robert_mcmurray/2013/11/15/how-to-trust-the-iis-express-self-signed-certificate/.

You can also use mmc to export and import it to the appropriate container if you wish.