I have a Blazor Server Application that is invoking a 3rd party API using IHttpClientFactory. When I execute the calling code on my local Windows 11 machine I receive the exception below. However, If I run the same code from an Azure Web App, the API is called successfully.
Error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: '112'.
I have attempted setting the Security protocol to TLS1.2 using the ServicePointManager, however, this does not make a difference. I have run Wireshark to glean some additional information, but all I can see is that my machine is initiating the call with TLS 1.2.
Does anyone have an idea as to why my code works in Azure, but not in my local development environment?
According to the behavior in azure web app, I think the issue should related to environment.
And if you have another os version pc, you can test it, and it should be work normally.
And I found the workaround in win11. You can add the registry key and removed the code to set the protocol to TLS1.2, and the TLS handshake worked from your Windows 11 system.
Related
I am using a third party library (MinIo dotnet SDK) in my .NET application. I successfully send the requests on the localhost, but at the time of publish on the IIS server, the requests are met with the following error.
MinIO API responded with message=Connection error:The SSL connection could not be established, see inner exception.. Status code=0, response=The SSL connection could not be established, see inner exception., content=
Same problem here this week.
We had to install the (root) certificate we used for our minio/S3 server on the machine we ran our application on.
If you don't want to use SSL, you have to use MinioClient.WithSsl(false).
We have run into a problem with IIS, TLS 1.2 and domain users. I searched SO and other forums, but all possibly related topics didn't lead me to a solution.
Please don't judge the configuration, it wasn't invented by me, I just need to solve this problem.
What happens is the following:
We have an old web application, that opens an executable with Process.Start and that executable calls an external webservice. This used to work fine with TLS 1.0, but in the near future, the external webservice demands TLS 1.2.
So now we are trying to make this work, and we are almost there: we upgraded the executable's .Net Framework version to 4.7.2 and enabled TLS 1.2 on the Windows Server 2008 R2. The web app's .Net Framework version is set to 4.6.1. It seems to me that this should be everything there is to it.
And indeed, when we run the executable stand alone (not called by the web app) from the server, so owned by the domain user logged on to the server (with RDP), everything works as expected; we receive the proper answer from the web service.
Also, when we call the executable by the web app and in IIS the application pool identity is set to a build in account: ApplicationPoolIdentity, everything works as expected as well.
But, when we set the application pool identity to a dedicated domain account (so a different one than the one that executed the executable earlier), the trouble begins. Connecting the web service fails with the following exception:
System.ServiceModel.EndpointNotFoundException: There was no endpoint
listening at https://<some url>/<some webservice name>.asmx that could
accept the message. This is often caused by an incorrect address or
SOAP action. See InnerException, if present, for more details. --->
System.Net.WebException: Unable to connect to the remote server
---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a
period of time, or established connection failed because connected
host has failed to respond ...
Now the question is of course, what could be causing this?
I like to believe that the failing domain account is configured correctly, but it seems it is not. Or could it be something else, that I don't even know the existence of...
EDIT:
I managed to narrow it down to a permissions issue: when the dedicated domain account runs the application stand alone, it works as it should. When the dedicated account runs it from within the IIS context (started by the web app), it doesn't work, but when the dedicated account is given admin rights, it also works as expected.
That leaves me to the question: what additional permissions does IIS need to allow this setup? Maybe in combination with TLS 1.2 thingies.
Any help would be greatly appreciated.
We are getting following error in Microsoft EDGE in our Dev environment when we run our ASP.NET Application Hosted in IIS 8 in Windows 2012 R2 Server.
Error:
XMLHttpRequest: Network Error 0x800c0019, Security certificate required to access this resource is invalid.
Following are more details about implementations and environments.
Our application runs on 2 different secured ports (HTTPS). In IIS both apps are hosting as different Web Applications and using same certificate. The certificate is generated using OpenSSL SHA2 encryption and it has been added in Secured Certificate Store.
From `Microsoft EDGE when we first load our application, it issues certificate warning message, and we are allowing to proceed. Once page is loaded, on a button click we are calling an API using AJAX call and that is hosted on different port.
In EDGE it is not allowing to proceed that API and giving above mentioned error.
In Chrome and IE 11 also, we are getting same warning message but from there it is allowing to execute next API.
Any help would be appreciated to fix the issue.
If you know your certificate is valid, a possible reason this might happen is if you have a tool running in the background somewhere that hijacks the SSL connections through a proxy, such as Fiddler.
Since such a tool is effectively using a man-in-the-middle attack to report the requests, the warnings are "normal". It's pretty easy to forget them running, too.
I got 2 servers with two equal wcf services hosted on them and one client application server. I can connect to endpoints and send a requests to both services using test wcf client app (.NET Web Service Studio) from my local machine successfully. But when I am trying to connect from client application server using the same test wcf client app I successfully connected only to the one wcf service server, but I have got an error when connecting to another one:
System.Net.WebException: There was an error downloading 'https://XXX/XXX?wsdl'. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it XX.XXX.XX.XXX:443
I performed netstat -an | find "443" command in command prompt on the client server and on my local machine to find out the difference and here what I have got:
1. On my local machine:
2. On the client app server:
What I already tried to do on client application server is:
- turned off firewall;
- stopped windows firewall service
- uninstalled mcafee virusscan enterprise application.
(I tried to set "prevent mass mailing worms from send mail" first, but mcafee was in foreign language that I don't understand, so I just uninstalled it)
after running command netstat -aon | findstr "443" on client application server I have got this result:
but I still got an error.
Does anybody know how to solve this issue?
Could be the problem on the wcf service server side?
The solution was predictable simple one - firewall was blocking the port,
but it's important to notice that the issue was caused by firewall on the wcf service server side, but not on client application server, which is making the request to that service.
I asked the technical support of that server, and they made firewall changes.
After that error was disappeared.
I faced the same issue and tried different ways to fix this. Nothing works. Later i found the issue which is, the application i tried to run is https and in my IIS, https binding was not created. I created binding https with the website and it works.
I'm running my ASP.NET Web API app locally with xsockets without any problems. When I publish the project to Azure, it won't connect. I enabled websockets for Azure and adjusted the xsockets url on the client side
from:
conn = new XSockets.WebSocket("ws://localhost:50838/api/Chat");
to:
conn = new XSockets.WebSocket("ws://.azurewebsites.net/api/Chat");
Any suggestions?
Arnoud
XSockets passes in the subprotocol 'XSocketsNET' by default and for some reason Azure is filtering this away in the response. It works fine in emulation but on Azure the sub-protocol is removed. This causes errors in Chrome since chrome checks the subprotocol giving the error below:
WebSocket connection to 'ws://xmvc.azurewebsites.net/Home' failed: Error during WebSocket handshake: Sent non-empty 'Sec-WebSocket-Protocol' header but no response was received
It works fine in other browser that does not perform this check. I've tried IE10 and Firefox on this sample site running XSockets on a Azure WebSite
In my opinion Chrome is doing the correct thing and Azure has a bug.
EDIT:
Be aware of the fact that Azure WebSites limits websocket connections!!!
Free site: 5 connections
Shared site: 35 connections
Standard site: 350 connections
According to Microsoft using WebSockets over Wss / Https will do the trick, i just done a test and the result is still the same.
Most likely the "unnecessary" sub-protocol header is removed from the response event if you pass is from server during the hand-shake.
So, You cannot rely on the SubProtocol when using Windows Azure as it seems?