none
A call to SSPI failed, see inner exception - The Local Security Authority cannot be contacted RRS feed

  • Question

  • I have a WPF app, which uses SSLStream to connect to server and send/receive some messages. My code is largerly based on this example (SslTcpClient): https://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.110).aspx.

    This worked fine for months. However, after getting this windows update (Cumulative Update for Windows 10 version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016 - https://support.microsoft.com/en-us/kb/3163018). My app started to report this exception:

    System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The Local Security Authority cannot be contacted
       --- End of inner exception stack trace ---
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
       at MyAPP.Core.Services.Network.Impl.SslTcpClient.ClientSideHandshake()
       at MyAPP.Core.Services.Network.Impl.SslTcpClient.Connect()
       at MyAPP.Core.Services.Impl.MessageService.SendMessage(String message)

    What can I do ?

    Monday, June 20, 2016 2:34 PM

Answers

  • I found the solution, but this is just a shortcut. This can be set in registry:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
    "ClientMinKeyBitLength"=dword:00000200

    However, you need to choose 1024bit DH cipher suite.


    • Proposed as answer by Fang Peng Wednesday, June 22, 2016 5:57 AM
    • Edited by mmilan08 Wednesday, June 22, 2016 11:30 AM
    • Marked as answer by mmilan08 Wednesday, June 22, 2016 4:52 PM
    Tuesday, June 21, 2016 4:52 PM

All replies

  • We're having the exact same issue here with a .NET 4.5 web app.
    Monday, June 20, 2016 4:54 PM
  • We're having the same problem with our app, which has worked correctly for years, after Windows 10 update 3163017.  Looking forward to any possible solution to this issue!
    Monday, June 20, 2016 9:45 PM
  • Windows 10

    The operative and common word here is Win 10 that is really not ready for primetime usage. Most companies wait for over a year or so before jumping on the new O/S bandwagon to let updates to the O/S settle to new O/S down. 

    Tuesday, June 21, 2016 12:58 AM
  • I found the solution, but this is just a shortcut. This can be set in registry:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
    "ClientMinKeyBitLength"=dword:00000200

    However, you need to choose 1024bit DH cipher suite.


    • Proposed as answer by Fang Peng Wednesday, June 22, 2016 5:57 AM
    • Edited by mmilan08 Wednesday, June 22, 2016 11:30 AM
    • Marked as answer by mmilan08 Wednesday, June 22, 2016 4:52 PM
    Tuesday, June 21, 2016 4:52 PM
  • This fixed it for us, but we're using a 2048bit key, so I'm not sure why this setting would have any effect.  :(

    Edit: Strangely, setting the registry value to 1024 also doesn't work even though we're using a 2048bit key. This has to be a Windows bug, no?

    Tuesday, June 21, 2016 5:07 PM
  • Here is detailed explanation of the problem: https://weakdh.org/. Your server accepts 512bit DH primes.
    • Edited by mmilan08 Tuesday, June 21, 2016 5:36 PM
    Tuesday, June 21, 2016 5:36 PM
  • Upgrading to the latest version of MySQL seems to have fixed the issue. Thanks!
    Tuesday, June 21, 2016 6:27 PM
  • Maybe or maybe your sever is using less than 1024b DH crypto cipher suite.
    Wednesday, June 22, 2016 11:31 AM
  • If you are using SslStream, then you need to explicitly set the TLS version in the AuthenticateAsClient call, for example:

    ssl.AuthenticateAsClient(url, null, SslProtocols.Tls12, false);
    Thursday, August 16, 2018 11:38 AM