Unable to Establish a Secure Channel from Windows Service to Web Service via HTTPS

Discussion in 'ASP .Net Web Services' started by Rob, Jan 31, 2006.

  1. Rob

    Rob Guest

    Hello,

    We have a Windows 2003 Server that is running .Net Framework 1.1. We have a
    web service running on this server. The server is configured to support SSL.
    We are not running a load-balanced server farm.

    We have several client machines running in various networks around the
    country. Each has internet connectivity. Each has the server certificate
    installed. Each establishes a secure connection to the web service.

    Each client machine is running a Windows service that was written in VB.Net.
    This service periodically polls the web service for information. The polling
    logic uses a proxy class that was generated with the WSDL utility. We have
    created a CertificatePolicy to validate the server certificate, and we have
    verified that the certificate policy is getting called. The server
    certificate is valid.

    Several of our client machines report the following error intermittently.

    "The underlying connection was closed. Could not establish secure channel
    for SSL/TLS."

    We report events such as this via the same web service that could not
    establish the connection. Also, we record the events in the event log. We
    are not missing events between the two reporting mechanisms. It is
    interesting that the first attempt to communicate with the web service fails
    with the error
    that is reported above, but the second attempt, which reports the error,
    succeeds.

    This appears to be the stale connection error that has been reported in many
    newsgroups.

    We have verified that FIPS is disabled in the local security policy's system
    cryptography section on all of our client machines.

    What else can I do to resolve this problem?

    Activelyx
    Rob, Jan 31, 2006
    #1
    1. Advertising

  2. Hi Activelyx ,

    Welcome to the MSDN newsgroup.
    From your description, you have one ASP.NET webservice deployed on one
    server machine, and some other client machines use a windows service to
    periodically call it. However, on some machines it occasionly report the

    "The underlying connection was closed. Could not establish secure channel
    for SSL/TLS." error, also another webservice call (to the same webservice)
    to log the error always succeed, correct?

    If anything I misunderstood, please feel free to let me know. If this is
    the case, it really seems abit strange since the webmethod call to the same
    webservice result different result. Does the problem always occur on only
    some certain client machines and some other client machine always work
    well? Also, on the problem client machine, is there any difference with
    the webmethod call which raise the error and the webmethod call which log
    the error? In addition, can you find any log entries in the webservice
    server's IIS log related to the error client machine's requests?

    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Steven Cheng[MSFT], Feb 1, 2006
    #2
    1. Advertising

  3. Rob

    Rob Guest

    Hi Stephen,

    Thanks for your response.

    I have reviewed the web server logs for the last couple of days for the time
    periods when the error occurred. I see web service calls every 5 minutes
    from each client machine. Only one per machine, every 5 minutes. I see no
    HTTP errors, only 200s.

    Our web service has one method, ProcessRequest. We send this method
    different XML data using an schema that defines the tasks. Tasks might be
    "report new data", or "record alert message", etc. The web service validates
    the XML that it receives using the schema and deserializes the XML into an
    object graph which is used to process the request.

    So when the windows service gets an exception, it reports the error to the
    same web service web method, but using a different XML data stream.
    Therefore, I always see a message every 5 minutes from each machine. The
    message might be a "report new data" request, or a "record exception
    message" request. I cannot differentiate between them in the web server log,
    but I see what's happening in our database, because the "report new data"
    requests and "record exception message" requests are written to our database
    by the web service.

    My hypothesis is that an open connection has gone stale. A windows service
    in the client machine tries to establish a secure connection with the web
    service, and an exception occurs. The exception is handled in the windows
    service, and the message is reported via another secure connection to the
    same web service, only this time, a new connection is used. So it succeeds.
    So I see a request in the web server log every 5 minutes from each client
    machine.

    If I was going to implement retry logic when this error occurs, the second
    attempt would probably work. I believe that this is the case, because the
    exception is reported to the web service successfully every time the error
    occurs. But I don't need retry logic, because each client machine retries
    every 5 minutes anyway.

    We thought the problem might have been caused by wireless routers at the
    client machine sites. So we replaced those, and we still see the problem.
    However, we replaced them with VOIP routers. I will get the make and model
    for you.

    Regards,

    ActivelyX

    "Steven Cheng[MSFT]" <> wrote in message
    news:...
    > Hi Activelyx ,
    >
    > Welcome to the MSDN newsgroup.
    > From your description, you have one ASP.NET webservice deployed on one
    > server machine, and some other client machines use a windows service to
    > periodically call it. However, on some machines it occasionly report the
    >
    > "The underlying connection was closed. Could not establish secure channel
    > for SSL/TLS." error, also another webservice call (to the same webservice)
    > to log the error always succeed, correct?
    >
    > If anything I misunderstood, please feel free to let me know. If this is
    > the case, it really seems abit strange since the webmethod call to the
    > same
    > webservice result different result. Does the problem always occur on only
    > some certain client machines and some other client machine always work
    > well? Also, on the problem client machine, is there any difference with
    > the webmethod call which raise the error and the webmethod call which log
    > the error? In addition, can you find any log entries in the webservice
    > server's IIS log related to the error client machine's requests?
    >
    > Regards,
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    >
    >
    >
    >
    Rob, Feb 1, 2006
    #3
  4. Thank for your respone and the further description,

    I think your analysis on the stale connection and retrying is reasonable.
    And I also agree that this is somewhat depend on the network environment
    and the code logic should be ok. Anyway, if you got any further finding
    ,please feel free to post here.

    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Steven Cheng[MSFT], Feb 3, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. C.W.
    Replies:
    1
    Views:
    5,934
  2. =?Utf-8?B?QmlsbA==?=
    Replies:
    3
    Views:
    12,848
    Steven Cheng[MSFT]
    Nov 4, 2005
  3. Jim Butler
    Replies:
    7
    Views:
    7,387
    Steven Cheng[MSFT]
    Jul 12, 2006
  4. Scott McFadden

    Could not establish secure channel for SSL/TLS

    Scott McFadden, Dec 18, 2003, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    138
    Scott McFadden
    Dec 18, 2003
  5. Brian
    Replies:
    8
    Views:
    237
    Yan-Hong Huang[MSFT]
    Oct 15, 2004
Loading...

Share This Page