[英]Dynamics CRM: WCF Security Error after forcing TLS 1.2
We have a functional WCF connection to our Dynamics CRM (2016 on-premise).我们有一个功能性 WCF 连接到我们的 Dynamics CRM(2016 内部部署)。 We recently needed to remove SSL 2.0/3.0 and TLS 1.0/1.1 on the Dynamics server in order to meet compliance (force TLS 1.2).
我们最近需要在 Dynamics 服务器上删除 SSL 2.0/3.0 和 TLS 1.0/1.1 以满足合规性(强制 TLS 1.2)。 This broke our WCF connection.
这破坏了我们的 WCF 连接。 We would see the following error:
我们会看到以下错误:
System.InvalidOperationException: Metadata contains a reference that cannot be resolved: ' https://DynamicsURL.com/OrgName/XRMServices/2011/Organization.svc?wsdl '.
System.InvalidOperationException:元数据包含无法解析的引用:“ https://DynamicsURL.com/OrgName/XRMServices/2011/Organization.svc?wsdl ”。 ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.
---> System.Net.WebException:底层连接已关闭:发送时发生意外错误。 ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
---> System.IO.IOException:无法从传输连接读取数据:现有连接被远程主机强行关闭。 ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
---> System.Net.Sockets.SocketException: 现有连接被远程主机强行关闭
I did not configure this and im no code export, but as far as i can tell, the connection security is all in the web.config and needs to be adjusted.我没有配置这个并且我没有代码导出,但据我所知,连接安全性都在 web.config 中,需要调整。 It looks like this:
它看起来像这样:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IWCFService" sendTimeout="00:25:00" maxReceivedMessageSize="1000000">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://DynamicsURL.com:8080/WCF/wcfservice.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IFWCFService" contract="WCF.IWCFService" name="BasicHttpBinding_IWCFService" />
</client>
</system.serviceModel
The issue started after implementing the following changes:该问题在实施以下更改后开始:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
Update更新
The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state.
通信 object,System.ServiceModel.Channels.ServiceChannel,不能用于通信,因为它在故障 state 中。
<system.serviceModel> <bindings> <wsHttpBinding> <binding name="BasicHttpBinding_IWCFService"> <security mode="Transport"> <transport clientCredentialType="Basic" /> </security> </binding> </wsHttpBinding> </bindings> <client> <endpoint address="https://DynamicsURL.com:8080/WCF/WCFService.svc" binding="wsHttpBinding" bindingConfiguration="BasicHttpBinding_IWCFService" contract="WCF.IWCFService" name="BasicHttpBinding_IWCFService" /> </client> </system.serviceModel>
Update 3更新 3
Schannel
errors (below).I found some suggestions to enable the Use FIPS security settings, but when i do that, it breaks a number of functions (Dynamics CRM Plugins) i have running on that machine.
Schannel
错误(如下)。我发现了一些启用使用 FIPS安全设置的建议,但是当我这样做时,它破坏了我在该机器上运行的许多功能(Dynamics CRM 插件)。
For example, the plugin would fail with this error: Error Occurred in Plugin NameRemoved exception: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Error Occurred in Plugin NameRemoved exception: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Others suggestions was to remove TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 chiper, but i cant remove it for the grading.
Errors错误
A fatal alert was generated and sent to the remote endpoint.
已生成致命警报并将其发送到远程端点。 This may result in termination of the connection.
这可能会导致连接终止。 The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.
TLS 协议定义的致命错误代码为 20。 Windows SChannel 错误 state 为 960。
A fatal error occurred while creating an SSL client credential.
创建 SSL 客户端凭据时发生致命错误。 The internal error state is 10013.
内部错误 state 为 10013。
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.5.1] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.5.23026] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001
According to the Microsoft documentation: Transport Layer Security (TLS) best practices with the .NET Framework根据 Microsoft 文档: Transport Layer Security (TLS) best practice with the .NET Framework
For WCF using .NET Framework 3.5 - 4.5.2 using TCP transport security with Certificate Credentials
对于 WCF 使用 .NET 框架 3.5 - 4.5.2 使用 TCP 传输安全证书凭证
These versions of the WCF framework are hardcoded to use values SSL 3.0 and TLS 1.0.
WCF 框架的这些版本被硬编码为使用值 SSL 3.0 和 TLS 1.0。 These values cannot be changed.
这些值不能更改。 You must update and retarget to NET Framework 4.6 or later versions to use TLS 1.1 and 1.2.
您必须更新并重新定位到 NET Framework 4.6 或更高版本才能使用 TLS 1.1 和 1.2。
Looks like you may need to upgrade you WCF services to .NET Framework to 4.6.2 or above.看起来您可能需要将 WCF 服务升级到 .NET 框架到 4.6.2 或更高版本。
First, your client connection doesn't configure the Https service address properly.首先,您的客户端连接没有正确配置 Https 服务地址。
<binding name="BasicHttpBinding_IWCFService"
bindingConfiguration="BasicHttpBinding_IFWCFService"
Also, Based on the TLS Best practices with Dotnet Framework.此外,基于 TLS 最佳实践与 Dotnet 框架。
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
we should not interfere with the decision of underlying TLS version.我们不应该干预底层 TLS 版本的决定。
Do not specify the TLS version.
不要指定 TLS 版本。 Configure your code to let the OS decide on the TLS version.
配置您的代码以让操作系统决定 TLS 版本。
Per your description, in order to achieve the TLS1.2 communications over HTTPS, we should upgrade the Dotnetframework SDK version to 4.6.1 above before we have configured the HTTPS service endpoint on the server-side.根据您的描述,为了在 HTTPS 上实现 TLS1.2 通信,我们应该先将 Dotnetframework SDK 版本升级到上述 4.6.1,然后再在服务器端配置 Z0E8433F9A404F1F3BA16ZC 服务端点。
Then on the client-side, we install Dotnetframework4.6 above too.然后在客户端,我们也安装上面的Dotnetframework4.6。 And specify the TLS version by using the following code before making a call to the server.
并在调用服务器之前使用以下代码指定 TLS 版本。
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
We could check the practical TLS version by using Wireshark.我们可以使用 Wireshark 检查实用的 TLS 版本。
Feel free to let me know if there is anything I can help with.如果有什么我可以帮忙的,请随时告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.