{"id":5148,"date":"2016-12-02T21:02:43","date_gmt":"2016-12-02T19:02:43","guid":{"rendered":"https:\/\/www.limilabs.com\/blog\/?p=5148"},"modified":"2017-02-15T16:00:08","modified_gmt":"2017-02-15T14:00:08","slug":"system-security-authentication-authenticationexception","status":"publish","type":"post","link":"https:\/\/www.limilabs.com\/blog\/system-security-authentication-authenticationexception","title":{"rendered":"System.Security.Authentication.AuthenticationException"},"content":{"rendered":"

.NET uses SChannel.dll as underlying SSL\/TLS implementation. SChannel is OS dependent and if incorrectly configured or configured to use only the latest TLS\/SSL versions, may lead to problems with TLS\/SSL negotiation. <\/p>\n

Please note that protocols that were considered secure some time ago, like SSL 3.0, are no longer considered secure. New OS updates may disable some protocols or cipher versions. On Windows this is done via registry settings.<\/p>\n

SSL version status<\/h2>\n
\n
  • SSL 2.0 was deprecated<\/strong> (prohibited) in 2011 by RFC 6176<\/a>.<\/li>\n
  • SSL 3.0 was deprecated<\/strong> by RFC 7568<\/a> in June 2015.
    \nAs of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.<\/small><\/li>\n
  • The use of RC4 in TLS is prohibited<\/strong> by RFC 7465<\/a> published in February 2015.<\/li>\n<\/div>\n

    The token supplied to the function is invalid<\/h2>\n

    Full exception looks like this:<\/p>\n

    System.Security.Authentication.AuthenticationException :
    \nA call to SSPI failed, see inner exception.
    \n ----> System.ComponentModel.Win32Exception :
    \nThe token supplied to the function is invalid<\/code><\/p>\n

    Most likely your client tries to use TLS 1.2 but you are using old certificate on the server (e.g. signed using md5RSA algorithm). <\/p>\n

    There are 2 options for you:<\/p>\n

      \n
    1. Regenerate the certificate (especially if it’s self-signed).<\/li>\n
    2. \nUse older TLS\/SSL version (TLS 1.1, TLS 1.0, SSL 3.0). You can force Mail.dll or Ftp.dll to use it using following code:<\/p>\n
      \r\nusing (XXX client = new XXX())\r\n{\r\n    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls11;\r\n    \/\/client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls; \/\/ TLS 1.0\r\n    \/\/client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Ssl3;\r\n\r\n    client.ConnectSSL("host");\r\n\r\n    client.Close();\r\n}\r\n\r\n<\/pre>\n
      Please contact your server administrator as TLS 1.1, TLS 1.0 and SSL 3.0 aren’t considered secure anymore.\n<\/li>\n<\/ol>\n
      The client and server cannot communicate, because they do not possess a common algorithm<\/h2>\n
      Full exception looks like this:<\/p>\n
      System.Security.Authentication.AuthenticationException :
      \nA call to SSPI failed, see inner exception.
      \n  ----> System.ComponentModel.Win32Exception :
      \nThe client and server cannot communicate, because they do not possess a common algorithm<\/code><\/p>\n
      There are 2 possible scenarios:<\/p>\n
        \n
      1. \n
        In most cases this means that the client is trying to use older SSL protocols like SSL 3.0, TLS 1.0 or TLS 1.1, but the remote server requires modern protocol – TLS 1.2.<\/p>\n
        By default all our clients support TLS 1.2. Some older versions need to be told to use TLS 1.2, it is also a good practice to force TLS 1.2 only:<\/p>\n
        \r\nusing (XXX client = new XXX())\r\n{\r\n    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;\r\n\r\n    client.ConnectSSL("host");\r\n\r\n    client.Close();\r\n}\r\n<\/pre>\n<\/li>\n
      2. Second option is the server is not supporting TLS 1.2 – you’ll need to use older protocol (TLS 1.1, TLS 1.0, SSL 3.0):\n
        \r\nusing (XXX client = new XXX())\r\n{\r\n    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls11;\r\n    \/\/ client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls; \/\/ TLS 1.0\r\n    \/\/ client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Ssl3; \r\n\r\n    client.ConnectSSL("host");\r\n\r\n    client.Close();\r\n}\r\n<\/pre>\n
        Please contact your server administrator as TLS 1.1, TLS 1.0 and SSL 3.0 aren’t considered secure anymore.\n<\/li>\n<\/ol>\n
        The message received was unexpected or badly formatted<\/h2>\n
        Full exception looks like this:<\/p>\n
        System.Security.Authentication.AuthenticationException :
        \nA call to SSPI failed, see inner exception.
        \n  ----> System.ComponentModel.Win32Exception :
        \nThe message received was unexpected or badly formatted<\/code><\/p>\n
        This error generally means that something is incorrectly configured on your machine.<\/p>\n
        What you should try:<\/p>\n
          \n
        1. Try forcing the latest TLS version (TLS 1.2):\n
          \r\nusing (XXX client = new XXX())\r\n{\r\n    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;\r\n\r\n    client.ConnectSSL("host");\r\n\r\n    client.Close();\r\n}\r\n<\/pre>\n<\/li>\n
        2. \nUse older TLS\/SSL version (TLS 1.1, TLS 1.0, SSL 3.0). You can force Mail.dll or Ftp.dll to use it using following code:<\/p>\n
          \r\nusing (XXX client = new XXX())\r\n{\r\n    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls11;\r\n    \/\/client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls; \/\/ TLS 1.0\r\n    \/\/client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Ssl3;\r\n\r\n    client.ConnectSSL("host");\r\n\r\n    client.Close();\r\n}\r\n\r\n<\/pre>\n
          Please contact your server administrator as TLS 1.1, TLS 1.0 and SSL 3.0 aren’t considered secure anymore.\n<\/li>\n
        3. \nFinally you can download IISCrypto<\/a> and review “Schannel” and “Cipher Suites” tabs.<\/p>\n
          For example we have seen clients that have TLS 1.0 turned on, but have TLS_RSA_WITH_3DES_EDE_CBC_SHA cypher suite turned off. If server requires this cypher, you’ll get this error message.<\/p>\n
          Selecting “Best Practices” and restarting, should solve the issue. You may need to select additional protocol suites depending on what your server requires<\/p>\n
          Please note that using TLS 1.2 and forcing your server administrator to enable TLS 1.2 is the only correct and secure way to go.\n<\/li>\n<\/ol>\n
          One or more of the parameters passed to the function was invalid<\/h2>\n
          Full exception looks like this:<\/p>\n
          System.Security.Authentication.AuthenticationException:
          \nA call to SSPI failed, see inner exception.
          \n  ----> System.ComponentModel.Win32Exception:
          \nOne or more of the parameters passed to the function was invalid
          \n<\/code><\/p>\n
          This error generally means that you are trying to use TLS\/SSL protocol version that is not supported on your machine (most likely it was turned off, because it is no longer considered secure)<\/p>\n
          What you should try:<\/p>\n
            \n
          1. Try forcing the latest TLS version (TLS 1.2):\n
            \r\nusing (XXX client = new XXX())\r\n{\r\n    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;\r\n\r\n    client.ConnectSSL("host");\r\n\r\n    client.Close();\r\n}\r\n<\/pre>\n<\/li>\n
          2. \nUse older TLS\/SSL version (TLS 1.1, TLS 1.0, SSL 3.0). You can force Mail.dll or Ftp.dll to use it using following code:<\/p>\n
            \r\nusing (XXX client = new XXX())\r\n{\r\n    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls11;\r\n    \/\/client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls; \/\/ TLS 1.0\r\n    \/\/client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Ssl3;\r\n\r\n    client.ConnectSSL("host");\r\n\r\n    client.Close();\r\n}\r\n<\/pre>\n<\/li>\n
          3. \n
            Try to disable strong crypto using code:<\/p>\n
            \r\n      const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching";\r\n      const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto";\r\n      AppContext.SetSwitch(DisableCachingName, true);\r\n      AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true);\r\n<\/pre>\n
            -or- by using app.config file:<\/p>\n
            \r\n<configuration>\r\n    <runtime>\r\n        <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"\/>\r\n    <\/runtime>\r\n<\/configuration>\r\n<\/pre>\n
            ref: https:\/\/msdn.microsoft.com\/en-us\/library\/mt298998(v=vs.110).aspx<\/p>\n<\/li>\n
          4. \nFinally you can download IISCrypto<\/a> and review “Schannel” and “Cipher Suites” tabs.<\/p>\n
            Selecting “Best Practices” restarting, should solve the issue. You may need to select additional protocol suites depending on what your server requires<\/p>\n
            Please note that using TLS 1.2 and forcing your server administrator to enable TLS 1.2 is the only correct and secure way to go.<\/p>\n
            Please contact your server administrator as TLS 1.1, TLS 1.0 and SSL 3.0 aren’t considered secure anymore.\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
            .NET uses SChannel.dll as underlying SSL\/TLS implementation. SChannel is OS dependent and if incorrectly configured or configured to use only the latest TLS\/SSL versions, may lead to problems with TLS\/SSL negotiation. Please note that protocols that were considered secure some time ago, like SSL 3.0, are no longer considered secure. New OS updates may disable […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,4],"tags":[53,83],"class_list":["post-5148","post","type-post","status-publish","format-standard","hentry","category-ftp-dll","category-mail-dll","tag-ssl","tag-tls"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5148"}],"collection":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/comments?post=5148"}],"version-history":[{"count":19,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5148\/revisions"}],"predecessor-version":[{"id":5265,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5148\/revisions\/5265"}],"wp:attachment":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/media?parent=5148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/categories?post=5148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/tags?post=5148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}