WCF“对 SSPI 的调用失败，请参阅内部异常”

Posted 2023-04-12

【中文标题】WCF“对 SSPI 的调用失败，请参阅内部异常”

【英文标题】：WCF "A call to SSPI failed, see inner exception"

【发布时间】：2016-04-10 14:14:25

【问题描述】：

我们有一个使用 WCF 的现有系统，并且一直运行良好，直到昨天它突然停止在我的机器和另一台开发人员机器上运行。

我已在客户端配置中设置系统诊断以写入跟踪文件，我们看到以下异常：

Throwing an exception 

**Basic Information**

Activity Name           Receive bytes on connection 'net.tcp://localhost:8004/'.
Time                    2016-01-06 13:38:45.3958
Level                   Error
Source                  System.ServiceModel
Process                 NServiceBus.Host
Thread                  219
Computer                RL-ZORO-LPT
Trace Identifier/Code   http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx


**Exception**

System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
    System.Security.Authentication.AuthenticationException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
         System.ComponentModel.Win32Exception, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Exception Type: System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Message: A call to SSPI failed, see inner exception.

Stack Trace:  System.ServiceModel.Channels.StreamSecurityUpgradeAcceptorAsyncResult.CompleteAuthenticateAsServer(IAsyncResult result)
              System.ServiceModel.Channels.StreamSecurityUpgradeAcceptorAsyncResult.OnAuthenticateAsServer(IAsyncResult result)
              System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
              System.Net.LazyAsyncResult.Complete(IntPtr userToken)
              System.Net.LazyAsyncResult.ProtectedInvokeCallback(Object result, IntPtr userToken)
              System.Net.Security.SslState.FinishHandshake(Exception e, AsyncProtocolRequest asyncRequest)
              System.Net.Security.SslState.ReadFrameCallback(AsyncProtocolRequest asyncRequest)
              System.Net.AsyncProtocolRequest.CompleteRequest(Int32 result)
              System.Net.FixedSizeReader.CheckCompletionBeforeNextRead(Int32 bytes)
              System.Net.FixedSizeReader.ReadCallback(IAsyncResult transportResult)
              System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
              System.ServiceModel.Channels.ConnectionStream.IOAsyncResult.OnAsyncIOComplete(Object state)
              System.ServiceModel.Channels.TracingConnection.TracingConnectionState.ExecuteCallback()
              System.Net.Sockets.SocketAsyncEventArgs.OnCompleted(SocketAsyncEventArgs e)
              System.Net.Sockets.SocketAsyncEventArgs.FinishOperationSuccess(SocketError socketError, Int32 bytesTransferred, SocketFlags flags)
              System.Net.Sockets.SocketAsyncEventArgs.CompletionPortCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
              System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

我们的服务器配置如下：

<system.serviceModel>
    <services>
      <service name="ServerImpl.RACServiceImpl.RACService" behaviorConfiguration="BILLService.ServiceBehavior">
        <host>
          <baseAddresses>
            <add baseAddress="net.Tcp://localhost:8004" />
            <add baseAddress="http://localhost:8006" />
          </baseAddresses>
        </host>
        <!-- Service Endpoints -->
        <endpoint address="BILLService" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="ServerImpl.Rsp.ServiceInterfaces.IRACService">
          <identity>
            <dns value="RACServer" />
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <client>
      <endpoint address="net.Tcp://localhost:8001/RMACService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="ServerImpl.Rsp.ServiceInterfaces.IRACService" name="IRACService">
        <identity>
          <dns value="RACServer" />
        </identity>
      </endpoint>
    </client>
    <behaviors>
      <serviceBehaviors>
        <behavior name="BILLService.ServiceBehavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="false" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <serviceCertificate findValue="RACServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
            <clientCertificate>
              <certificate findValue="RACClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
              <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
            </clientCertificate>
          </serviceCredentials>
          <serviceThrottling maxConcurrentCalls="40" maxConcurrentInstances="40" maxConcurrentSessions="40" />
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="ClientBehavior">
          <clientCredentials>
            <clientCertificate findValue="RACClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
            <serviceCertificate>
              <defaultCertificate findValue="RACServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
              <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <netTcpBinding>
        <binding name="netTcpBindingConf" closeTimeout="00:11:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="100" openTimeout="00:20:00">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
          <reliableSession ordered="true" inactivityTimeout="00:15:00" />
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Certificate" algorithmSuite="Default" />
            <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
          </security>
        </binding>
      </netTcpBinding>
    </bindings>
</system.serviceModel>

这是我们的客户端配置：

<system.serviceModel>
    <bindings>
      <netTcpBinding>
        <binding name="netTcpBinding_RACService" closeTimeout="00:10:00" openTimeout="00:40:00" receiveTimeout="00:32:00" sendTimeout="00:10:00" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00" />
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Certificate" algorithmSuite="Default" />
            <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
          </security>
        </binding>
      </netTcpBinding>
    <wsHttpBinding>
        <binding name="WSHttpBinding_IThirdPartyRACService" closeTimeout="00:59:00" openTimeout="00:59:00" receiveTimeout="00:59:00" sendTimeout="00:59:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
          <security mode="None">
            <message clientCredentialType="None" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true"></message>
            <transport clientCredentialType="None" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="net.Tcp://localhost:8004/AMACService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="netTcpBinding_RACService" contract="ServerImpl.Rsp.ServiceInterfaces.IRACService" name="IRACService">
        <identity>
          <dns value="RACServer" />
        </identity>
      </endpoint>
      <endpoint address="net.Tcp://localhost:8004/AMACService" behaviorConfiguration="ClientBehavior" binding="netTcpBinding" bindingConfiguration="netTcpBinding_RACService" contract="ServerImpl.Rsp.ServiceInterfaces.IRACService" name="IRACService1">
        <identity>
          <dns value="RACServer" />
        </identity>
      </endpoint>
    <endpoint address="https://localhost/ThirdPartyWebService/ThirdPartyRACService.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IThirdPartyRACService" contract="IThirdPartyRACService" name="WSHttpBinding_IThirdPartyRACService">
        <identity>
          <dns value="localhost" />
        </identity>
      </endpoint>
    </client>
    <behaviors>
      <endpointBehaviors>
        <behavior name="ClientBehavior">
          <clientCredentials>
            <clientCertificate findValue="RACClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
            <serviceCertificate>
              <defaultCertificate findValue="RACServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
              <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
            </serviceCertificate>
          </clientCredentials>
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
        </behavior>
      </endpointBehaviors>
    </behaviors>
</system.serviceModel>

如果我们在客户端和服务器上将安全模式设置为“无”，那么它就可以工作。

这里有什么问题？

【问题讨论】：

为什么跟踪没有写入内部异常？谁写的痕迹？

@不会知道，没有内部异常。

改为在 server 配置中启用服务跟踪。

是的，不知何故，我不相信没有内部异常。

您的客户端和您的服务之间的安全模式不匹配 - 我希望这就是您看到错误的原因。

【参考方案1】：

事实证明，导致问题的原因是同一天发生的 Windows 更新（奇怪的巧合）。更新是 kb3102467（又名 .NET Framework 4.6.1）——它最终会在机器上找到自己。

事实证明，我们使用的 SSL 证书使用 RSA/SHA512，据我所知，这会导致 CPU 使用率过高，因此被禁用（有一个针对此问题的修补程序，并且添加了我看到的注册表信息，但在 kb3102467 之后仍然发生）。

作为一种解决方法（在我们颁发新的 SSL 证书之前），我通过以下方式禁用了 TLS 1.2：

启动 regedit 并浏览到以下位置：HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols 在协议下创建以下密钥：TLS 1.2 在 TLS 1.2 下创建以下两个 Key：Client 和 Server 在客户端和服务器键下创建以下 DWORD：DisabledByDefault 和 Enabled 在客户端和服务器下设置以下内容：DisabledByDefault=1 和 Enabled =0 重启服务器。

这解决了问题，无需卸载kb3102467

【讨论】：

虽然这可能对 2016 年的 OP 有效，但我鼓励其他人谨慎行事。我尝试了这个解决方案，但它削弱了我整个机器连接到 SSL 站点的能力。换句话说，买家要小心，并准备好回滚。我需要回滚。

【参考方案2】：

我在 Windows 10 上的 localhost 上进行测试时遇到错误，并想与大家分享。

在客户端的 App.Config 中，我删除/评论了以下行：

  <!--<identity>
                <userPrincipalName value="AD\7329688" />
            </identity>-->

现在开始工作了

【讨论】：

是的，这是一个很好的答案，对我也有帮助。非常感谢。