I’m facing the following issue on multiple (not to say: all) Windows 8.x machines:
Running this piece of code:
var message = new MailMessage();
message.From = new MailAddress("sender#foo.bar.com");
message.To.Add(new MailAddress("recipient1#foo.bar.com"));
message.Subject = "This is my subject";
message.Body = "This is the content";
var client = new SmtpClient();
client.Send(message);
The config:
<system.net>
<mailSettings>
<smtp from="test#foo.com">
<network host="smtpserver1" port="25" userName="username" password="secret" defaultCredentials="false" />
</smtp>
</mailSettings>
</system.net>
against a hosted Exchange Server results in several issues like 5.7.1 SMTP errors (not authenticated, base64 required etc.)
Running the same code on a Windows Server 2008 R2, Windows Server 2012 or Windows 7 works as expected…
Turning of the firewall did not help.
Am I missing same magic on Windows 8.1 machines?
It doesn't matter whether the code runs in an IIS or Console Application.
Setting defaultCredentials to true or false also doesn't matter.
Sending the mail using Windows telnet client works without any problems also.
Update:
Here comes the WireShark SMTP Log:
C: EHLO <LOCALMACHINENAME>
S: 250 mail.myhostedexchange.org Hello [<IP>] | 250 SIZE 104857600 | 250 PIPELINING | 250 DSN | 250 ENHANCEDSTATUSCODES | 250 STARTTLS | 250 AUTH GSSAPI NTLM LOGIN | 250 8BITMIME | 250 BINARYMIME | 250 CHUNKING
C: AUTH gssapi <base64 encoded string>
S: 334 <base64 encoded string>
C: base64 username
S: 334 <base64 encoded string>
C: base64 password
S: 535 5.7.3 Authentication unsuccessful
Update 2:
I compared the Wireshark output from a Windows 8.1 machine and a Windows 7 machine (where everything works fine):
The Windows 7 machine sends something like this:
C: AUTH gssapi <base64encoded>NTLMSSP + some encoded chars.
The Windows 8 machine sends something like this:
C: AUTH gssapi <somehowencodedchars>Token Signing Public Key<somehowencodedchars>WELLKNOWN:PKU2U<somehowencodedchars>SMTPSVCmail.myhostedexchange.org
Update 3:
I tried using SendGrid and it works fine on Windows 8.x machines.
The difference between SendGrid and my Hosted Exchange is that SendGrid only supports
250-AUTH=PLAIN LOGIN
This is similar to my Telnet Login experience.
Update 4:
EnableSSL=true does not fix it.
This could be related to this bug: https://connect.microsoft.com/VisualStudio/feedback/details/785710/mailmessage-subject-incorrectly-encoded-in-utf-8-base64 but this is just with the subject header and not authentication. Keep reading!
Before I changed my answer I was pointing to the Exchange server as the problem. Encoding CSR. (but then changed my approach to the client to see what could be done there since it seemed like Weekend changes server-side would have a lower probability. But then again it just might be the right way to go after all.
I have fetched that information and brought it back:
Create a new CSR on the Exchange server and reissue the certificate
And review this post where a base64 was request to exchange but failed. So the Exchange Server had to have something modified.
http://www.billmorefield.com/index.php/2013/11/29/encoding-csr-on-exchange-2010/
I am seeing a lot of the 64 base interpretation on various different things pointing to a backwards compatibility issue on your exchange server. Windows 8 is throwing something at it and Exchange folds because of interpretation problems.
More client related but along the same lines to try to avoid bumping the 64base encrypt/decrypting problem...Here is a work around attempt from the client side which is basically rendering SSL auth useless (leaving this just to illustrate that people are attempting to approach this from the client side). See if you can set SMTPEnableSSL=N or false in your web config settings. Test and see if it works. I am thinking SSL might be the problem.
http://theoldsewingfactory.com/2011/01/06/enable-ssl-in-web-config-for-smtpclient/
Look here as well. I'll pretty up these links later.
http://social.technet.microsoft.com/Forums/en-US/023d7598-9311-4b84-b1df-81ceda011fe4/bug-smtplivecom-stopped-working-after-win-81-tested-ol2013-win8-my-lan-roaming-user?forum=w81previtpro
This is backwards compatibility issue.
This is for the .NET 4 framework. If you are using 3.5 or 3 it won't work in config.
So then you would look for your host settings somewhere and configure it there.
Reason seems to be due to the base 64 encryption not being able decrypt on your SMTP server.
Ok. To bring back my main points. It is unlikely that this is a Application coding problem considering the code works on some Windows 8 machines with SMTP and older versions of client server setups. This is more related a transport/authentication issue.
Console app
using telnet
on windows 8.1
connecting to a hosted 2010 exchange server.
Approach: Authentication/Security/Relay
Here are some better things to check.
Authentication (this is for sharepoint but it talks about your config file).
Machine Keys
Machine Keys
More Machine keys
Client Certificates
Client Certificates and Windows 8
More on Certificates
Certificate Authority
SSL
Here is discussion on routers, SSL and Windows 8.1
Here is discussion on Multiple Authoritative Domains and Windows 8
Related
Running an ASP.Net Core application based on IdentityServer 4 on an AWS cluster,
after 14-21 days all outgoing HTTPS requests take 5min or more to finish.
After an investigation found that the WinHTTP Web Proxy Auto-Discovery Service dies with the following error: The endpoint mapper database entry could not be created. not sure if this is the issue or a side effect of something else that breaks lower in the OS.
Environment:
ELB with with an autoscaling group with two instances behind it, issue occurs on both
Windows Server 2019
Notes:
It is a custom AMI but the only difference with the instances that do not experience this is the product is running on it.
Happens on both .Net core 2.2 and 3.1 based versions of the application
Happens on both versions based on IdentityServer4 v2 and v3
The app is deployed self contained
The app uses Kestrel without a reverse proxy in front of it
Tried:
Enabled schannel: no errors in the schannel logs set on trace
No other notable errors in any of the EventViewer logs
Restarting the instance fixes the problem
When running curl.exe -v to an HTTPS site on the machine the request gets stuck on schannel: checking server certificate revocation
The clocks on the instances are OK
Restarting the app process does not resolve the issue
Disabling the HTTPClient in the code using the WinHTTP Web Proxy Auto-Discovery Service service still breaks the service.
For those running into this.
The root of this issue is the WinHTTP autoproxy (wpad) service which is used to autoconfigure proxy settings, WinHTTP 5.1 implements the Web Proxy Auto-Discovery (WPAD) protocol also known as autoproxy, and it must support DHCP. Now this is where the problem occurs, the AWS DHCP does not support DHCP option 252 (used by WPAD) which in turn causes the issue.
The resolution is to disable the WinHTTP service as it is turned on by default in Windows.
I am seeing this exact same problem on a bare-bones AWS Lightsail instance of Server 2019. I am simply using IIS as a reverse proxy with the URL Rewrite module.
Here are some details about my environment/scenario in case it helps narrow down some common factors.
I have zero .Net applications running on this box, it is simply a reverse proxy.
I have 2 web applications, and 2 websites setup in IIS, each is a reverse proxy for a different back-end API.
The websites in IIS on the reverse proxy use the same CA issued wildcard certificate as the back-end API's.
The back-end API's are also hosted in IIS (Server 2012 R2).
The back-end API's run in a PCI compliant environment so IIS Crypto has been used to tighten up encryption protocols/algo's. I have not used IIS Crypto on the reverse proxy yet, so as I type this I'm starting to wonder if there's an SSL aspect to this.
I'm trying to use a cfhttp post to secure.authorize.net/gateway/transact.dll, but am getting a connection failure. I'm using coldfusion 2016 on windows server 2008. I believe I have the correct cert file registered in the java keystore but am not 100% sure. Based on some google searches, I think that is the problem.
I downloaded and registered GeoTrust Primary Certification Authority - G2 from https://www.geotrust.com/resources/root-certificates/
Any tips on how to make sure the proper sha-2 certificate is registered in the keystore? I tried using IE to save the certificate from secure.authorize.net/gateway/transact.dll, by following the instructions here https://www.youtube.com/watch?v=ewT4aud-xww but that also didn't seem to work.
I should add that this wasn't working even before the TLS disablement date of yesterday. That was just a coincidence. I previously had CF 9 installed, and it was working on there. From what I've always understood, the communication failure error usually indicates lack of or incorrectly imnported certifcate into the keystore. I tried copying the CACerts file from the cf9 instal, as well as start fresh and manually import the certs.
It's likely to be related to the disablement of TLS 1.0 and 1.1 which happened today.
We're having the same issue on a couple of servers, but not others, so trying to work out why that is.
All servers are TLS 1.2 enabled, but connections on some appear to be failing.
I have a web service which i need to access through https. We have a workbout pro 4 with win ce 6.0 running on it. When we were developing our app we had tested it through http. wihtout any problem. When we went live and needed access to https based server we have received the error stated on subject field under VS 2008 Smart Device Project. On the device we receive an error "could not display..." . We have tried to import the standard certificate issued by global si. We still have no success accessing the web service. We can acces the web service on phone, tablet, pc but not with Pro 4:). It would be kind if anyone can share his/her experience with https based web service access or can guide us to over come our problem.
Secure connection is not implemented on CE fully. Something to do with cert management. Here is what i am considering for my project and it gives a little more info what the issue is. http://labs.rebex.net/HTTPS
Here is some quotes from the site in case its down or something.
.NET Compact Framework does not support TLS 1.2, 1.1, SNI or SHA-2
based certificates.
.NET CF's HttpWebRequest is outdated. It does not support TLS 1.2 or
1.1, it doesn't support Server Name Identification (SNI), and it does not support SHA-2 in X509 certificates. It also suffers from several
authentication-related bugs with no known workaround. This makes it
unusable in a growing number of scenarios, and Microsoft will never
fix this because it no longer cares about these legacy platforms.
Fortunately, it's now possible to work around these shortcomings using
a beta version of Rebex HTTPS library. It features a HttpWebRequest
replacement object for .NET Compact Framework that plugs into the
existing .NET CF WebRequest API and provides the features the default
HTTP/HTTPS provider lacks. Most importantly, it adds support for TLS
1.2, TLS 1.1, SNI and SHA-2, it works even on old devices based on Windows CE 5.0 and it makes it simple to add TLS 1.2 support to
existing SOAP web service clients.
We had a similar issue on CE 7.0.
HTTPS connections using SHA1 certificates would work, however ones with SHA2 certificates would return the error
Could not establish trust relationship with remote server
If possible, try testing your code against a host that uses a SHA1 certificate to see if the issue might be related to missing SHA2 support in CE 6.0.
I should mention that we never formally approached Microsoft to get confirmation on whether SHA2 was supported or not in CE 6.0/7.0, it was just our conclusion after numerous tests that it wasn't.
We use NTLM auth to access an ASP.net web services from our MonoTouch app and everything works fine.
One of our customers uses the same app and the NTLM auth fails from our app but works from the iPad's Safari browser.
Looking at the packet flow from the customer, the server does not return NTLMSSP_CHALLENGE, when our app sends NTLMSSP_NEGOTIATE message.
Looking the differences between our app's NTLMSSP_NEGOTIATE message and iPad's Safari same message
Our MT app sets the NTLM flags to 0xb203 and Safari sets this to 0x88207.
The NegotiateNtlm2Key is set to 0 in our app and 1 in Safari
Our app also sends the calling workstation domain and name fields whereas Safari send both as null.
The client's server is Windows Server 2003 and they also use Kerberos as their main authentication scheme and fall back on NTLM.
Would setting the NegotiateNtlm2Key flags in Mono.Security.Protocol.Ntlm.NtlmFlags help?
NTLMv2 Session and NTLMv2 Authentication has now been implemented in Mono (mono/master commit 45745e5).
See this article for a description of the different NTLM versions.
By default, Mono now uses NTLMv2 Session Authentication whenever the server supports it and falls back to LM & NTLM otherwise.
The default behavior can be configured by using the new Mono.Security.Protocol.Ntlm.Type3Message.DefaultAuthLevel property in Mono.Security.dll (see Type3Message.cs and NtlmAuthLevel.cs in mcs/class/Mono.Security/Mono.Security.Protocol.Ntlm).
This is similar to the Lan Manager Authentication Level in Windows.
Update 01/26/13
There has been an issue with Microsoft Server 2008 RC2 not accepting the domain name that it sent back in the Type 2 Message's Target Name (or Domain Name from the Target Info block).
Therefore, we are now using the domain name from the NetworkCredential to allow the user to specify the desired domain. This is also the domain name that's initially being sent to the server in the Type 1 Message.
Simply setting flags ? Maybe but IMHO that's quite unlikely.
That code base was written in 2003 (and updated in 2004) and I'm pretty sure that I (as the author of the low-level code) did not have access to a Windows 2003 server or a Kerberos-enabled domain at that time.
The amount of required change, for a fallback, might not be too large (but I would not bet 5$ on that ;-) if you already have the environment to test it. I'm 100% positive that the Mono project would be happy to receive patches to enable this. You can also fill a bug report (priority enhancement) to ask for this feature at http://bugzilla.xamarin.com
An alternative is to use the iOS API, which I assume Safari is using, to communicate with the ASP.NET web service and deserialize the data yourself. Hard to say which options is more complex.
So, I have the following system: there is a client app, which requests the service as follows:
blar.ServiceSecurity wsSecurity = new blar.ServiceSecurity();
wsSecurity.Url = this.tURL + "Security.asmx";
CookieContainer cc = new CookieContainer();
wsSecurity.CookieContainer = cc;
wsSecurity.ClientCertificates.Add(X509Certificate.CreateFromCertFile(certPath));
blar.LoginResult lr = wsSecurity.Login(login, password);
then, a web-service at this.tURL + "Security.asmx"'s Login method has to get that ClientCertificate (certPath) from:
Context.Request.ClientCertificate.Certificate;
and do something with it.
There are two problems:
if IIS's configuration says Require client certificates, i get 403.7 error on calling the Login function;
if IIS's configuration says Accept client certificates, i get CryptographicException "m_safeCertContext is an invalid handle";
but, those problems happen only if client works from Windows 7 x64, when launched on Windows XP, or Windows Server 2003 even, it does just fine.
ca is installed on both machines, configuration seems completely identical in all test cases,
so my question is 'What the hell?'
I don't see anything immediately wrong with your code or configuration, so you might find these tools helpful in figuring out the problem yourself:
SSL Diagnostics for IIS (or for IIS 7, see this)
.NET Network Tracing
Fiddler HTTP(S) proxy debugger (how to decrypt SSL)
SSL tracing