对SSPI的调用失败,请参阅内部exception – 无法联系本地安全机构
我有一个WPF应用程序,它使用SSLStream连接到服务器并发送/接收一些消息。 我的代码更大程度上基于这个例子(SslTcpClient): https ://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v = vs.110).aspx。
这个工作好几个月了。 但是,在获得此Windows更新(Windows 10版本1511和Windows Server 2016技术预览4的累积更新:2016年6月14日 – https://support.microsoft.com/en-us/kb/3163018 )之后。 我的应用程序开始报告此exception:
System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The Local Security Authority cannot be contacted --- End of inner exception stack trace --- at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at MyAPP.Core.Services.Network.Impl.SslTcpClient.ClientSideHandshake() at MyAPP.Core.Services.Network.Impl.SslTcpClient.Connect() at MyAPP.Core.Services.Impl.MessageService.SendMessage(String message) 我能做什么 ?
以下是在注册表中设置的解决方案:
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ KeyExchangeAlgorithms \ Diffie-Hellman]“ClientMinKeyBitLength”= dword:00000200
如此处所述
这意味着另一方正在使用其他版本的TLS,而您使用的是旧版本。
在建立连接之前将安全属性设置为TLS12。 这是一个众所周知的问题,因为许多提供商开始使用TLS12(例如paypal,amazon等)。
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
如果您正在使用SslStream,则需要在AuthenticateAsClient调用中显式设置TLS版本,例如:
ssl.AuthenticateAsClient(url, null, SslProtocols.Tls12, false);