A call to SSPI failed, see inner exception - The Local Security Authority cannot be contacted

Question

I have an WPF app, which uses SSLStream to connect to server and send/receive some messages. My code is largerly based on this example (SslTcpClient): https://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.110).aspx.

This worked fine for months. However, after getting this windows update (Cumulative Update for Windows 10 version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016 - https://support.microsoft.com/en-us/kb/3163018). My app started to report this exception:

System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The Local Security Authority cannot be contacted
   --- End of inner exception stack trace ---
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at MyAPP.Core.Services.Network.Impl.SslTcpClient.ClientSideHandshake()
at MyAPP.Core.Services.Network.Impl.SslTcpClient.Connect()
at MyAPP.Core.Services.Impl.MessageService.SendMessage(String message)

What can I do ?

We're having the same issue after this update on our Windows 10 machines. We're using the MySQL .NET Connector connecting to a remote MySQL DB over SSL. — Jon Tackabury, Jun 20 '16 at 17:35
Jon, have you found a solution ? I'm having the same problem with connecting to a MySQL DB. — Yaniv Hakim, Apr 29 '18 at 15:06

score 34 · Answer 1 · edited Apr 10 '18 at 18:29

34

This means the other side is using another version of TLS and you are using an older version.
Set up security attribute to TLS12 before making the connection. This is a widely known problem, as many providers start using TLS12 (e.g. paypal,amazon and so on).

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

edited Apr 10 '18 at 18:29

Seymour

7,043
12
44
51

answered Apr 05 '17 at 18:16

Serg Shevchenko

662
1
5
21

In my case the message is "No credentials are available in the security package", It also works, Life Saver! – yu yang Jian Jun 01 '21 at 01:39

score 11 · Accepted Answer · edited Dec 02 '21 at 16:11

11

Here is the solution, set in the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200

as noted here

edited Dec 02 '21 at 16:11

Seybsen

14,989
4
40
73

answered Jun 21 '16 at 16:50

Milan M.

959
3
12
27

[This link](https://support.microsoft.com/en-us/help/3061518/ms15-055-vulnerability-in-schannel-could-allow-information-disclosure-may-12,-2015) is a reference to the MS Technical discussion for why DH 512 support was removed. – Norman H May 02 '17 at 20:33

score 4 · Answer 3 · answered Aug 16 '18 at 11:35

4

If you are using SslStream, then you need to explicitly set the TLS version in the AuthenticateAsClient call, for example:

ssl.AuthenticateAsClient(url, null, SslProtocols.Tls12, false);

answered Aug 16 '18 at 11:35

Fiach Reid

6,149
2
30
34

i couldn't get this to work in any other way, so thanks for the hint. – cdonner May 22 '19 at 14:31

score 0 · Answer 4 · answered Feb 18 '20 at 09:36

I got this exception when using C# connect to Oracle database using Oracle.ManagedDataAccess.dll,

"Oracle.ManagedDataAccess.Client.OracleException (0x80004005): Oracle Cannot connect to Server or cannot parse connection string ---> OracleInternal.Network.NetworkException (0x80004005): Oracle : Oracle Cannot connect to Server or cannot parse connection string ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: No credentials are available in the security package\r\n --- End of inner exception stack trace ---\r\n at System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception)\r\n at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)\r\n at ............

and after a long time finding and try, finally I find This Answer works, add settings section and set name="SQLNET.AUTHENTICATION_SERVICES" value="" in the app.config:

<oracle.manageddataaccess.client>
  <version number="*">
    <dataSources>
      <dataSource alias="SampleDataSource" descriptor="(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=ORCL))) "/>
    </dataSources>
    <settings>
      <setting name="SQLNET.AUTHENTICATION_SERVICES" value=""/>
    </settings>
  </version>
</oracle.manageddataaccess.client>

In the reference link in answer above, you can try one step further, set:

SQLNET.AUTHENTICATION_SERVICES= ()

in your sqlnet.ora in Oracle Client folder also works.

This is not the same exception as the one in question, so your answer is irrelevant — nemke, Sep 19 '21 at 09:29

score 0 · Answer 5 · edited Nov 02 '22 at 19:30

0

I am getting a similar exception while connecting to the MySQL database hosted at Hostinger from a desktop app (.NET).

I have added SslMode=None; in the connection string and everything started working fine.

edited Nov 02 '22 at 19:30

janw

8,758
11
40
62

answered Oct 28 '22 at 11:31

PRAVIN KUMAR BARMASHE

1
1

score -1 · Answer 6 · edited Aug 25 '22 at 16:37

-1

Adding line before your Web request.

const SslProtocols _Tls12 = (SslProtocols)0x00000C00;
const SecurityProtocolType Tls12 = (SecurityProtocolType)_Tls12;
ServicePointManager.SecurityProtocol = Tls12;

edited Aug 25 '22 at 16:37

T.S.

18,195
11
58
78

answered Aug 22 '22 at 07:47

Muhammad sajid

1
1

score -2 · Answer 7 · answered Feb 11 '20 at 10:11

-2

try adding servicePrincipalName to your client App.config file

<client>
 <endpoint ............................
  <identity>
  <servicePrincipalName/>
  </identity>
 </endpoint>
</client>

answered Feb 11 '20 at 10:11

Artur Strecker

1

A call to SSPI failed, see inner exception - The Local Security Authority cannot be contacted

7 Answers7

Linked