Could not establish secure channel for SSL/TLS web service

[Brian]

Hello All!

Yes, it is this infamous error once again. Yes I have googled the issue and
read through reams of good information. Unfortunately nothing has cured the
problem, so hear goes.

Console App running on Windows NT 4, Framework 1.1 (not SP1) accessing web
service running on Windows Server 2003. Was running fine for the past 2
months and then 3 days go started getting this error. Runs fine on over 40
other clients, the majority of which are NT 4.

Implemented ICertificatePolicy to narrow down the problem, the problem
parameter comes back as 0. When the first web service method is called, the
error occurs.

I am stuck and any help would be much appreciated!

 

[[MSFT]]

Hi Brian,

Such a issue has many possible causes. I suggest you check following issues
first:

1. Has Win NT Service Pack 6 and IE 6 SP1 has been installed on the
computer?
2. Can you call the web service via HTTP?
3. Can you browse the Page on the server via Https in IE?
4. Is the Console App executed under same Windows account as before
5. Is there any proxy, firewall or SSL related application changed recently

Luke

 

[Brian]

Hi Luke,

In answer to your questions:

1. Service Pack 6a.
2. I may try this however this is a production web service that needs to
remain secure so the likely hood of changing this is slim. But (see answer to
next question).
3. Yes I can browse the page in IE, lending to the frustration level.
4. Account information is the same for the console app. Also ran it as an
Administrator and it did not change the error.
5. I am still investigating this, but since I can get there via IE I do not
believe there is anything blocking https traffic.

Also the certificate on the server is valid and has not expired.

Take Care,

Brian

1. Has Win NT Service Pack 6 and IE 6 SP1 has been installed on the
computer?
2. Can you call the web service via HTTP?
3. Can you browse the Page on the server via Https in IE?
4. Is the Console App executed under same Windows account as before
5. Is there any proxy, firewall or SSL related application changed recently

 

[Yan-Hong Huang[MSFT]]

Hello Brian,

I reviewed the problem description carefully and found the following things:

1) The problem doesn't happen till 3 days before, right? If that, have you
installed anything 3 days ago such as security patch or some software?

2) You mentioned "Runs fine on over 40 other clients, the majority of which
are NT 4."
Do you mean that the console application runs fine on other NT 4.0
machines. The error just happens on some NT 4.0 machine? If that, the
problem may be machine specific.

3) Do you know one trace tool named Soap trace utility included in SOAP
toolkit 2.0?
I suggest you use that tool for tracing. In this way, we can find out the
difference between the error machine and a normal machine. It may give us
more hints in troubleshooting.

Hope that helps.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Brian]

Hi Yanhong,

Thanks for the reply. Most of the environment changes have already been
assessed. However, I did come across 2 applications being installed the
morning before the failures started: Word 97 and Outlook 98. All critical
updates are installed on the computer with the exception of .NET framework
SP1.

The error occurs only on this machine and only recently. The first attempt
to solve has been trying to determine what has changed on the machine. I only
added the ICertificatePolicy code to help assess what might have changed.

I will look into running the trace tool.

Take Care,

Brian

 

[Yan-Hong Huang[MSFT]]

Hello Brian,

Thanks very much for the quick update. Since the problem only happens on
one machine, I think it may not be related to coding, but related to some
installed software.

For that trace tool, please also run IE to access that web service and
compare the difference. I look forward to your testing result.

By the way, for Word97 and Outlook98, they are no longer supported
according to product lifecycle.
(http://support.microsoft.com/default.aspx?id=fh;[ln];lifeprodo)

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Brian]

Hi Yanhong,

Thanks for the update on the not supported applications. I figured that
would be the case. Doh!

Ok, I ran the trace but I had to run them unformatted because formatted did
not return any info. So I have these traces, one set with IE and one set with
the application. Just looking at them they are different, but I don't really
know how to interpret them or how the differences really matter. What do you
suggest as the next step?

Thanks!

 

[Yan-Hong Huang[MSFT]]

Hello Brian,

Could you please save the trace to a txt file and send to me? Please remove
online from my email address here to reach me.

Generally speaking, if the SSL can't be established, there should be some
error line in the trace file. What we need is to compare them line by line.
It may be a time consuming task. You can use some tool such as WinDiff
to do that.

Based on your reply, if you feel that was caused by old version of outlook
and work, could you please uninstall them first to confirm it? That may be
a quicker step.

Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Yan-Hong Huang[MSFT]]

Hello All,

Here is the update of this issue. I have received the log file from Brian.
However, since the issue happens only on SSL, the message in the log is
secured and so we can get little info from it.

For this problem, if there are detailed steps on how to set up a repro
environment, our premier support team may help isolate it. If there are no
repro steps, maybe we need to connect to that machine and do some testing
there. I have told Brian to contact PSS to have one support engineer to
work with him specially on it.

Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.