0

I have a strange problem. I have an external dll that I have not built myself so have no access to the source code that makes calls to a web service of some kind over https and uses a .pfx certificate to authenticate. It seems to use a normal WebRequest.Create call. It works fine on my dev machine but when I move it to a QA machine (Azure VM) it fails with the error,

The request was aborted: Could not create SSL/TLS secure channel.

And in the event log it's,

A fatal error occurred while creating a TLS client credential. The internal error state is 10013

On the server (shared by lot's of other sites) I have checked the registry settings for

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

And 1.2 is enabled but all other protocols are disabled and no special settings under,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319

Now the fun part is that I have made a small console app that does the same thing as the website and it works fine on the server when I run it AND if I change the application pool user from the specified user to my own user that I use to connect to the server the web site also runs fine. I have not made any registry changes and I'm happy to try to get the hosting team to make the changes and try but first I want to try to understand how the application can work with one user but not with the other user if it's registry settings that are not user specific. Or if there can be another explanation for the issue.

EDIT: We run .NET Framework 4.7.2, both for the web site and the test console app.

tripleee
  • 175,061
  • 34
  • 275
  • 318
Viktor G
  • 3
  • 3
  • A security push in Jun this year disabled TLS 1.0/1.1 on servers. But client still default to older versions. It looks like the target Net is 4.0 which definitely doesn't support the encryption algorithms for TLS 1.2. The normal fix is to add at beginning of code ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; so client request TLS 1.2 only. Not sure if this will work since you are using a dll. – jdweng Dec 15 '20 at 17:15
  • What version of .NET Framework are you running? 4.5.2? Something before or after that? – mason Dec 15 '20 at 17:24
  • Decompile that assembly with a commercial tool like .NET Reflector, and then debug into it. I don't think there can be an easy answer without doing so. – Lex Li Dec 16 '20 at 01:30
  • This problem may be related to the .net framework, there is a similar problem on MSDN, you can refer to it: https://social.technet.microsoft.com/Forums/en-US/fd626e47-9ee7-41c5-b11a-ae696e3b6b5b/a-fatal-error-occurred-while-creating-a-tls-client-credential-the-internal-error-state-is-10013?forum=ws2016 – Ding Peng Dec 16 '20 at 01:47
  • We use Framework 4.7.2 and have tried with ServicePointManager but no success. But it's starting to feel like it's an file access issue (https://forums.iis.net/t/1233122.aspx). That would explain why it works with another user. – Viktor G Dec 16 '20 at 07:13

1 Answers1

0

After lots of Googling we finally found a solution here, https://www.windowstechupdates.com/solved-the-request-was-aborted-could-not-create-ssl-tls-secure-channel/. All that was needed was to change the setting Load User Profile on the application pool from False to True. The default value is True but for some reason it is set to False in our hosting environment.

More info here also What exactly happens when I set LoadUserProfile of IIS pool?

Viktor G
  • 3
  • 3