WCF: Unable to add service reference – System.Security.SecurityException: Request for the permission of type ‘System.Security.Permissions.SecurityPermission’ failed" – after installing KB 2938782


Issue:

Client app: Console Application running with Partial Trust

Functionality broken: Add Service Reference for SSL hosted web service

 

Error:

System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed"

 

Important condition:

Affected box has the following KB installed: KB 2938782

 

Comparison with working box:

In the “Working” trace, we found that the SchUseStrongCrypto is set to 0, however for the failing trace it is set to 1
SchUseStrongCrypto:
http://blogs.msdn.com/b/tdevere/archive/2014/11/11/ssl-handshake-clienthello-receives-encrypted-alert.aspx

SchUseStrongCrypto
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379810(v=vs.85).aspx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto

Instructs Schannel to disable known weak cryptographic algorithms, ciphersuites, and SSL/TLS protocol versions that may be otherwise enabled for better interoperability.

 

STACK TRACE captured from failure IDNA:
0:000> kc
Call Site
kernelbase!RaiseException
clr!RaiseTheExceptionInternalOnly
clr!IL_Throw
mscorlib_ni!System.Security.CodeAccessSecurityEngine.ThrowSecurityException(System.Reflection.RuntimeAssembly, System.Security.PermissionSet, System.Security.PermissionSet, System.RuntimeMethodHandleInternal, System.Security.Permissions.SecurityAction, System.Object, System.Security.IPermission) mscorlib_ni!System.Security.CodeAccessSecurityEngine.CheckHelper(System.Security.PermissionSet, System.Security.PermissionSet, System.Security.CodeAccessPermission, System.Security.PermissionToken, System.RuntimeMethodHandleInternal, System.Object, System.Security.Permissions.SecurityAction, Boolean) clr!CallDescrWorkerInternal clr!CallDescrWorkerWithHandler clr!DispatchCallDebuggerWrapper clr!DispatchCallSimple clr!SecurityStackWalk::CheckPermissionAgainstGrants
clr!DemandStackWalk::CheckGrant
clr!DemandStackWalk::WalkFrame
clr!Thread::StackWalkFrames
clr!DemandStackWalk::DoStackWalk
clr!SecurityStackWalk::Check_StackWalk
clr!SecurityStackWalk::Check_PLS_SW
clr!SecurityStackWalk::SpecialDemand
clr!SecurityDeclarative::DoDeclarativeActions
clr!DoDeclarativeActionsForPInvoke
clr!StubHelpers::DemandPermission
system_configuration!DomainBoundILStubClass.IL_STUB_PInvoke()
system!System.Net.RegistryConfiguration.GetAppConfigValueName()
system!System.Net.RegistryConfiguration.AppConfigReadString(System.String, System.String)
system!System.Net.ServicePointManager.EnsureStrongCryptoSettingsInitialized()
system!System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)

 
 

Workaround:

  1. Setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto to 0.
  2. Migrate to .Net Framework 4.6.
  3. If above two version not possible, request for hot fix from MS, refer following internal hot fix number: 3064715

 

Hope this help !

 
Comments (0)

Skip to main content