none
sschannel Error reading client certificate (WCF 4.0 / .NET TCP / SSL) RRS feed

  • Question

  • hi .. i've an client .net 4.0 app that talks to IIS via net.tcp using transport security (SSL) . It works on all customer computers but one (a w7 x64 machine). On that computer i get an expection during the first try to connect to the server:

    System.ServiceModel.Security.SecurityNegotiationException:
    The Local Security Authority cannot be contacted. --->
    System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception.
    ---> System.ComponentModel.Win32Exception: The Local Security Authority cannot be contacted
       --- Fine della traccia dello stack dell'eccezione interna ---
       in System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
       in System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       in System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       in System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
       in System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
       --- Fine della traccia dello stack dell'eccezione interna ---

    Server stack trace:
       in System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
       in System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
       in System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
       in System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
       in System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
       in System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       in System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       in System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       in System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       in System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       in System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
       in System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       in System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       in System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       in System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       in System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       in System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       in System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       in WKI.Cosmo.Interop.IWKIStreamDownload1.GetStream(StreamRequest1 StreamRequest)
       in WKI.Cosmo.Runtime.IWKIStream1_wcfproxy.GetStream(StreamRequest1 StreamRequest)
       in WKI.Cosmo.Components.WKIStreamDownloadProxy.GetDataAsTempFile(DownloadRequest pStreamRequest)
       in WKI.Cosmo.Components.WKIStreamDownloadProxy.GetDataAsStream(DownloadRequest pStreamRequest)
       in WKI.StartDSNet.SelfUpdate.pfCallIWKIStream(String pName, String pcurstartdsHash)
       in WKI.StartDSNet.SelfUpdate.pfCheckForUpdate(String pstartdsPath, DownloadAsStreamResponse& pExeDownloadAsStreamResponse, DownloadAsStreamResponse& pConfigDownloadAsStreamResponse)
       in WKI.StartDSNet.SelfUpdate.UpdateMeIfRequired(Boolean& pExitProcess)
       in WKI.StartDSNet.PrivateProgram.PrivateMain(String[] args)


    I've looked at the event log, raising the schannel logging level and this is what I get

    first this line: The SSL client credential's private key has the following properties:

       CSP name: Microsoft Strong Cryptographic Provider
       CSP type: 1
       **Key name: {45824E5B-9AD0-40D4-B132-C61D6857EFA9}**
       **Key Type: unknown**
       Key Flags: 0x0

     The attached data contains the certificate.
    ------------
    and then in the next entry
    The following fatal alert was generated: 80. The internal error state is 301.

    .. on a working machine the first line is different
    The SSL client credential's private key has the following properties:

       CSP name: Microsoft Strong Cryptographic Provider
       CSP type: 1
       **Key name: {4632A94F-5C6F-477F-A326-6BAE58AFC4B0}**
       **Key Type: key exchange**
       Key Flags: 0x0

     The attached data contains the certificate.
    ----
    and then the next entry is
    An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.

       Protocol: TLS 1.0
       CipherSuite: 0x2f
       Exchange strength: 1024
    -----------------

    Note that where it works "Key Type: key exchange", while where it does not work "Key Type: unknown"
    **Additionally the Key name value is different ??**

    The certificate (with its private key) I'm providing is supposed to be the same since it is embedded into the exe itself as a resource.

    I tried reinstalling the .net FW 4.0 but it does not help ...

    what should i check ?
    thank you

     enrico sabbadin

    Thursday, January 10, 2013 12:45 PM

All replies

  • try 3 things

    1)  check IE menu Tools : Internet Options : Advance in the security section and make sure TSL is checked

    2) Try connecting manually with IE and see if there is any error messages.

    3) Uninstall application.  Go into registry and delete the bad entry.  Then reinstall the application.


    jdweng

    Thursday, January 10, 2013 5:59 PM
  • 1 : already done .. TLS is checked

    2 : the app expose a net.tcp binding , not a http binding , so i cannot point to it with IE .. however i verified that with ie i can reach https sites

    3: what bad entry are u talking about ?

    Thursday, January 10, 2013 10:26 PM
  • I tried responding yesterday but the Microsfot forums wasn't working.  the bad entry I s was refereing to is the following : **Key name: {4632A94F-5C6F-477F-A326-6BAE58AFC4B0}**

    Did you ever install an earlier version of your application at the cutomer that isn't working?  I think you may need to go to Control Pnael and uniinstall the application and then reinstall.  The key number is part of the project properties under : Application : Assembly Number.  The key number you are using may already be used by another application on your customers PC.

    The following error is interesting : "80. The internal error state is 301."

    We have an SQL Server install at work and initially when it wasn't configured properly to port 8080 we were getting a similar error reporting that port 80 wasn't found.  Http is suppose to use either 8000 or 8080.  I'm suspecting that a firewall (or virus checker) may be blocking the port number.


    jdweng

    Friday, January 11, 2013 12:31 PM
  • Key name: {4632A94F-5C6F-477F-A326-6BAE58AFC4B0

    AND

    The following error is interesting : "80. The internal error state is 301."

    comes from the schannel logs .. So i doubt that 80 has to do with a tcp port , and i doubt keyname has to do with installation issues

    As I said, rhe schannel event logs says "Key Type: key exchange", while where it does not work it says "Key Type: unknown" .  Additionally in the logs also the Key name value is different.

    This is clearly I sign that something is wrong at the encription level when reading the client certificate, but i have no idea what it is.

    Friday, January 11, 2013 1:03 PM
  • Has anyone figured out this issue yet? Having a similar issue and driving me crazy!

    first schannel log is this

    CSP Name: Microsoft Strong Cryptographic Provider

      CSP Type: 1
      Key Name: xxxxx
      Key Type: unknown
      Key Flags: 0x20

    second schannel log is this fatal error

    Getting schannel TLS fatal alert 80. The internal error state is 301.

    Third schannel log is

    An SSL Client handshake completed successfully. the negotiated cryptographic parameters are as follows
    Protocol: TLS 1.0
    Ciphersuite: 0x2f
    Exchange Strength: 2048

    So this fatal error is breaking my logic.  I don't understand why its being thrown when the SSL handshake is then completed successfully.

    Please help!!!!

    Thanks

    Tuesday, April 21, 2015 4:25 PM
  • Hi,

    in my case the real origin of the error was an access denied on the file system (in same folder inside %appdata% of the user .. if i rememebr well ).

    We couldn't find the reason why the permissions were not the default ones on the folder (an antivirus?) ..we just changed them and everything worked fine

    Fire up sysinternals process monitor and look for access denied error on the file system received by the process that is receiving the error.

    Find what folder/file is giving the the access denied error and modify its permissions accordingly

    HTH

    Enrico sabbadin

    Tuesday, April 28, 2015 8:00 AM