System.Security.Authentication.AuthenticationException

The token supplied to the function is invalid

Full exception looks like this:

System.Security.Authentication.AuthenticationException : A call to SSPI failed, see inner exception.
----> System.ComponentModel.Win32Exception : The token supplied to the function is invalid

Most likely your client tries to use TLS 1.2 but you are using old certificate on the server (e.g. signed using md5RSA algorithm).

There are 2 options for you:

  1. Regenerate the certificate (especially if it’s self-signed).
  2. Use older TLS/SSL version (TLS 1.1, TLS 1.0, SSL 3.0). You can force Mail.dll or Ftp.dll to use it using following code:

    using (XXX client = new XXX())
    {
        client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls11;
        //client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls; // TLS 1.0
        //client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Ssl3;
    
        client.ConnectSSL("host");
    
        client.Close();
    }
    
    

    Please contact your server administrator as TLS 1.1, TLS 1.0 and SSL 3.0 aren’t considered secure anymore.

The client and server cannot communicate, because they do not possess a common algorithm

Full exception looks like this:

System.Security.Authentication.AuthenticationException : A call to SSPI failed, see inner exception.
----> System.ComponentModel.Win32Exception : The client and server cannot communicate, because they do not possess a common algorithm

There are 2 possible scenarios:

  1. In most cases this means that the client is trying to use older SSL protocols like SSL 3.0, TLS 1.0 or TLS 1.1, but the remote server requires modern protocol – TLS 1.2.

    By default all our clients support TLS 1.2. Some older versions need to be told to use TLS 1.2, it is also a good practice to force TLS 1.2 only:

    using (XXX client = new XXX())
    {
        client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;
    
        client.ConnectSSL("host");
    
        client.Close();
    }
    
  2. Second option is the server is not supporting TLS 1.2 – you’ll need to use older protocol (TLS 1.1, TLS 1.0, SSL 3.0):
    using (XXX client = new XXX())
    {
        client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls11;
        // client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls; // TLS 1.0
        // client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Ssl3; 
    
        client.ConnectSSL("host");
    
        client.Close();
    }
    
  3. Please contact your server administrator as TLS 1.1, TLS 1.0 and SSL 3.0 aren’t considered secure anymore.

The message received was unexpected or badly formatted

Full exception looks like this:

System.Security.Authentication.AuthenticationException : A call to SSPI failed, see inner exception.
----> System.ComponentModel.Win32Exception : The message received was unexpected or badly formatted

This error generally means that something is incorrectly configured on your machine.

What you should try:

  1. Try forcing the latest TLS version (TLS 1.2):
    using (XXX client = new XXX())
    {
        client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;
    
        client.ConnectSSL("host");
    
        client.Close();
    }
    
  2. Use older TLS/SSL version (TLS 1.1, TLS 1.0, SSL 3.0). You can force Mail.dll or Ftp.dll to use it using following code:

    using (XXX client = new XXX())
    {
        client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls11;
        //client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls; // TLS 1.0
        //client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Ssl3;
    
        client.ConnectSSL("host");
    
        client.Close();
    }
    
    

    Please contact your server administrator as TLS 1.1, TLS 1.0 and SSL 3.0 aren’t considered secure anymore.

  3. Finally you can download IISCrypto and review “Schannel” and “Cipher Suites” tabs.

    For example we have seen clients that have TLS 1.0 turned on, but have TLS_RSA_WITH_3DES_EDE_CBC_SHA cypher suite turned off. If server requires this cypher, you’ll get this error message.

    Selecting “Best Practices” and restarting, should solve the issue.

    Please note that using TLS 1.2 and forcing your server administrator to enable TLS 1.2 is the only correct and secure way to go.

Tags: ,

Questions?

Consider using our Q&A forum for asking any questions.