none
WCF- authenticationMode="UserNameForSslNegotiated" for TLS 1.2 RRS feed

  • Question

  • Hi,

    I have WCF service calls, which use authentication mode "UserNameForSslNegotiated" (for secureConversationBootstrap) and which worked OK while TLS1.0 was enabled on the server.

    When I disable TLS1.0, to leave just TLS1.2 or TLS 1.1 on the server, it fails.

    TLS 1.0 has been disabled with the Schannel register changes (with IIS_Crypto tool).

    The error in the client is:

    "A fatal error occurred while creating an SSL client credential. The internal error state is 10013."

    In the stack trace we can see the next message received from the server (using System.ServiceModel): 

           Message=The request for security token could not be satisfied because authentication failed.
           Source=System.ServiceModel

    We have set this authenticationmode to implement a "SecureConversation" and the ""UserNameForSslNegotiated" one is set for secureConversationBootstrap.

    The authentication must be with SSL, and not over Transport. So, we can not user "UserNameOverTransport" authentication.

    Thanks

     



    Friday, June 14, 2019 3:18 PM

All replies

  • Hi,
    So far as I know, TLS protocol is used in the communication needs OS and Dotnetframework support. 
    https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
    most of cases we needn’t to specify the TLS version, the OS will decide on the TLS version.
    The below code could specify the TLS version.
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;


    Feel free to let me know if there is anything I can help with.
    Best Regards
    Abraham

    Monday, June 17, 2019 6:17 AM
    Moderator
  • Hi, 

    In the application we have specified the TLS version:

    System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

    We can see using Wireshark that TLS 1.2 messages are sent between client and server, but at end in the Server EventViewer, we can see "A fatal error occurred while creating an SSL server credential. The internal error state is 10013.".

    At server, we have disabled SSL3, TLS 1.0,

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

    We have set "DisabledByDefault" as 1, "Enabled" as 0. (for SSl and TLS 1.0).

    Instead, TLS 1.1. and TLS 1.2 are enabled.

    We have also set:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001

    "FIPS-compliant" is not set.

    Regards

    Monday, June 17, 2019 2:33 PM
  • Hi,
    Are you assured that the connection could be established with TLS1.2?  Does the server and client environments support the protocol? Moreover, if the environment (the prerequisite of the server and the client support for TLS) supports, why the default protocol uses TLS 1.0 by default. Thereby I suspect that we need to update Dotnetframework version or OS for supporting TLS, such as the dotnetframework 4.7
    https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
    Best Regards
    Abraham
    Tuesday, June 18, 2019 2:48 AM
    Moderator
  • Thanks,

    we have been seen the URL shown

    Our server work with all TLS protocols (if all are enabled), but we want to disable TLS1.0 at the server 

    In the server we have .NET Framework 4.7.2,

    In the client we have .Net Framework 4.0, so in the client, we must have define the values for the SecurityProtocolType (to be Tls11 or tls12,).

    We could establish communication using TLs1.1 or Tls 1.2 (as set in the client, when TLS1.0 was enabled).

    We had defined a custom binfing to define a "SecureConversation" with 

    authenticationMode="UserNameForSslNegotiated" and messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">

    Why does it appear this error at the server when TLS1.0 is disabled?

    ""A fatal error occurred while creating an SSL client credential. The internal error state is 10013.""

    Regards


    Thursday, June 20, 2019 4:08 PM
  • For the security mode of authentication, the Client and Server Use Certificate Authentication. I think the communication protocol version might be hardcoded, so it caused the problem.  As mentioned in the official document.
    [quote]

    For WCF using .NET Framework 3.5 - 4.5.2 using TCP transport security with Certificate Credentials
    These versions of the WCF framework are hardcoded to use values SSL 3.0 and TLS 1.0. These values cannot be changed. You must update and retarget to NET Framework 4.6 or later versions to use TLS 1.1 and 1.2.

    [/quote]

    In order to exclude this, we could test it by using latest dotnetframework version client.

    Best Regards
    Abraham



    Friday, June 21, 2019 8:20 AM
    Moderator