Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
C# OAuth Call to login.MicrosoftOnline.com Results in TLS/SSL Error Sporadically
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 1%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Siward
0
Reputation points
Hi Microsoft Q&A,
I wrote a C# application that attempts to get an OAuth token from https://login.microsoftonline.com. The resulting access token is in turn used to call a Microsoft D365 Cloud application web service.
My problem is the my C# application is randomly throwing the below SSL error when it attempts to refresh the OAuth token from https://login.microsoftonline.com:
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The SSL error appears randomly. Some connections connect successfully, but others fail with an SSL certificate error.
It feels like login.microsoftonline.com is a load balanced server and one or more of its nodes has a different ssl that my system cannot accept. If my C# calls the correct server on the load balancer node, it connects fine, but if it happens to call the bad load balanced server node, it fails.
Azure API Management
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 65%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Pravallika KV 3,880 Reputation points Microsoft External Staff Moderator2025-12-02T18:27:00.26+00:00 Hi Siward,
Thanks for reaching out to Microsoft Q&A.
Looks like the application cannot establish a trust relationship with the SSL certificate, which is often due to the certificate validation procedure failing.
- Ensure that your application is using a modern TLS version. You can set the desired TLS protocol at the start of your application with the following code:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11; // or include Tls13 if supported- If the SSL certificate presented by
login.microsoftonline.comis self-signed or issued by a non-public CA, your application may not trust it. Make sure that the required root and intermediate certificates are part of the trusted store. - Since this issue appears sporadically, it might be due to load balancing where different endpoints could be using different certificates. Confirm that all nodes in your load balancing pool are presenting valid certificates from a trusted CA. If your application uses an internal load balancer or a reverse proxy, ensure that it is configured correctly not to terminate SSL connections prematurely.
- Check if your firewall, proxy server, or a similar network element could be interfering with SSL traffic or changing certificates mid-connection.
- Use tools like
curlorPostmanto test direct connectivity tohttps://login.microsoftonline.comfrom the environment where your application is running. This might give you insights into the response and any certificate issues:
curl -v https://login.microsoftonline.com -
Siward 0 Reputation points
2025-12-03T14:25:33.66+00:00 login.microsoftonline.com is run by microsoft. I was hoping someone knowledgeable of login server tell me what certificates it has and what certification paths are necessary. I tried opening the page manually using a browser from where my app sits but it never throws any SSL error. POSTMAN is simliar to a browser call. I difference is that I can control the HTTP method.
Perhaps I can bypass the load balancing and go directly to the server with the certificate that works. Again, someone knowledgeable of the microsoft login server should know.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 23%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Anurag Rohikar 3,185 Reputation points Microsoft External Staff Moderator2025-12-05T15:04:09.9166667+00:00 Hello Siward,
Thanks for the update! I’ve reached out to you via private message to help with a couple of environment-specific clarifications. Once we sort that out, I’ll share the findings back here for the benefit of others as well.
-
Siward 0 Reputation points
2025-12-10T21:10:27.38+00:00 I honestly don't know here that private message would appear.
-
Siward 0 Reputation points
2025-12-10T21:12:05.22+00:00 I see an email about a private message. I click on it login, but I don't see where the private messages are shown.
I hope you can give me your findings.
- What certification paths does the load balanced login.microsoftonline.com require? There is obviously more than one SSL certificate as I am getting randomly load balanced.
- Can I point to a specific login.microsoftonline.com server to skip the load balancing? I think I would put the IP address in my /etc/host/ file as the domain is coded in the SSL certificate.
-
Anurag Rohikar 3,185 Reputation points Microsoft External Staff Moderator
2025-12-11T05:10:54.3866667+00:00 Hello Siward,
please check below to access private message as the information is sensitive and cannot be shared on comments. I have reached out to you via private message.How to reply to a private message.
Sign in to comment
Sign in to answer