Dynamics CRM：强制 TLS 1.2 后 WCF 安全错误

Question

We have a functional WCF connection to our Dynamics CRM (2016 on-premise). We recently needed to remove SSL 2.0/3.0 and TLS 1.0/1.1 on the Dynamics server in order to meet compliance (force TLS 1.2). This broke our WCF connection. We would see the following error:

System.InvalidOperationException: Metadata contains a reference that cannot be resolved: ' https://DynamicsURL.com/OrgName/XRMServices/2011/Organization.svc?wsdl '. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

I did not configure this and im no code export, but as far as i can tell, the connection security is all in the web.config and needs to be adjusted. It looks like this:

<system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBinding_IWCFService" sendTimeout="00:25:00" maxReceivedMessageSize="1000000">
          <security mode="Transport">
            <transport clientCredentialType="None" proxyCredentialType="None" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://DynamicsURL.com:8080/WCF/wcfservice.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IFWCFService" contract="WCF.IWCFService" name="BasicHttpBinding_IWCFService" />
    </client>
  </system.serviceModel

The issue started after implementing the following changes:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

Update

I tried the following system.serviceModel config in the web.config of the client app calling the WCF app, and im getting the following error:

The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state.

 <system.serviceModel> <bindings> <wsHttpBinding> <binding name="BasicHttpBinding_IWCFService"> <security mode="Transport"> <transport clientCredentialType="Basic" /> </security> </binding> </wsHttpBinding> </bindings> <client> <endpoint address="https://DynamicsURL.com:8080/WCF/WCFService.svc" binding="wsHttpBinding" bindingConfiguration="BasicHttpBinding_IWCFService" contract="WCF.IWCFService" name="BasicHttpBinding_IWCFService" /> </client> </system.serviceModel>

Update 3

As mentioned below, i resolved the issue by adding the Reg value showing below. However, im now facing other issues. I was using SSLLabs to scan my site, and i scored a B. The solution was to enable and prefer the TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 chiper. Doing that, resulted SSLLabs complaining about DH, so i set that to 2048. Now it seems all good, but im getting hammered with Schannel errors (below).I found some suggestions to enable the Use FIPS security settings, but when i do that, it breaks a number of functions (Dynamics CRM Plugins) i have running on that machine. For example, the plugin would fail with this error: Error Occurred in Plugin NameRemoved exception: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. Others suggestions was to remove TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 chiper, but i cant remove it for the grading. As its now, everything seems to functioning properly besides the errors.

Errors

• A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

• A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.5.1] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.5.23026] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001

Answer 1

According to the Microsoft documentation: Transport Layer Security (TLS) best practices with the .NET Framework

For WCF using .NET Framework 3.5 - 4.5.2 using TCP transport security with Certificate Credentials

These versions of the WCF framework are hardcoded to use values SSL 3.0 and TLS 1.0. These values cannot be changed. You must update and retarget to NET Framework 4.6 or later versions to use TLS 1.1 and 1.2.

Looks like you may need to upgrade you WCF services to .NET Framework to 4.6.2 or above.

Answer 2

First, your client connection doesn't configure the Https service address properly.

<binding name="BasicHttpBinding_IWCFService" 

bindingConfiguration="BasicHttpBinding_IFWCFService"

Also, Based on the TLS Best practices with Dotnet Framework.
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
we should not interfere with the decision of underlying TLS version.

Do not specify the TLS version. Configure your code to let the OS decide on the TLS version.

Per your description, in order to achieve the TLS1.2 communications over HTTPS, we should upgrade the Dotnetframework SDK version to 4.6.1 above before we have configured the HTTPS service endpoint on the server-side.
Then on the client-side, we install Dotnetframework4.6 above too. And specify the TLS version by using the following code before making a call to the server.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

We could check the practical TLS version by using Wireshark.
Feel free to let me know if there is anything I can help with.