Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / November 2005

Tip: Looking for answers? Try searching our database.

Security Exception in TslStream.EndRead

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Will Holley - 12 Oct 2005 14:25 GMT
We are hosting a .net winforms usercontrol within IE6 which makes POST and
GET calls to a webserver  using httpwebrequest. This was working fine until
we changed our authentication mechanism in IIS  to require client
certificates. I can fetch the certificate in the user control ok and this is
being attached to the request. i.e.:

ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();

HttpWebRequest request = WebRequest.Create(remoteUri) as HttpWebRequest;
request.Headers = new WebHeaderCollection();
request.KeepAlive = false;
request.ProtocolVersion = HttpVersion.Version10;
request.Proxy = WebProxy.GetDefaultProxy();
request.AllowAutoRedirect = true;
request.MaximumAutomaticRedirections = 10;
request.Timeout = (int) new TimeSpan(0, 0, 60).TotalMilliseconds;

CertificateStore store = new CertificateStore();

X509Certificate cert = store.GetValidApplicationCertificate();
request.ClientCertificates.Add(cert);

request.Method = "GET";

WebResponse response = request.GetResponse();

When this last line is called, I get an error:

Could not establish secure channel for SSL/TLS. --->
System.Security.SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
  at System.Net.TlsStream.EndRead(IAsyncResult asyncResult)
  at System.Net.Connection.ReadCallback(IAsyncResult asyncResult)
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.CheckFinalStatus()
  at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
  at System.Net.HttpWebRequest.GetResponse()

This looks like the error described in KB823177 but installing all the
latest patches does not help.

Does anybody have any suggestions as to how we might fix this as I'm stumped!
Reply to this Message
Steven Cheng[MSFT] - 13 Oct 2005 06:19 GMT
Hi Willholley,

Welcome to ASPNET newsgroup.
From your description ,you're developed a winform user control which use
WebRequest component to request a SSL protected remote services. However,
when executing in client page in IE browser, you're getting some exception
at the end of the request, yes?

From the exception information, it seems a secuirty permission issue. I'd
suggest you first try turn off the .net CodeAccess Security on the client
machine (or grant the control assembly full trust) and run the page again
to see whether the control can work correctly. Thus, we can confirm whether
this is a security issue.

Also, for IE hosted winform control developing, you can turn on the IE host
log to see whether you can get any more detailed clues from it.

#HOW TO: Use the IEHost Log to Debug .NET Object Hosting in Internet
Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;313892

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: Security Exception in TslStream.EndRead
| thread-index: AcXPMF4iLUtCMjomQcyKkU0/iP9WSw==
[quoted text clipped - 17 lines]
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:30587
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
[quoted text clipped - 41 lines]
|
| Does anybody have any suggestions as to how we might fix this as I'm stumped!
Reply to this Message
Steven Cheng[MSFT] - 17 Oct 2005 12:24 GMT
Hi Willholley,

How are you doing on this issue, does the suggestion in my last reply helps
you a little or have you got any progress?
if there're any thing else we can help, please feel free to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| X-Tomcat-ID: 87316100
| References: <B0086DB9-9DF8-4A6E-8BA9-D29FFD6407DE@microsoft.com>
[quoted text clipped - 11 lines]
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:8038
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
[quoted text clipped - 101 lines]
| | Does anybody have any suggestions as to how we might fix this as I'm
| stumped!
Reply to this Message
Will Holley - 26 Oct 2005 11:16 GMT
Steven,

Thanks for the reply - I have been away for the last 10 days so havent had a
chance to look into this issue again until now.

After turning off caspol I now get a 401 unauthorized exception. I am sure
the certificate is correct (as it is the only one in the store and works for
the same uri when i try to access it from IE6).

Will

> Hi Willholley,
>
[quoted text clipped - 136 lines]
> | | Does anybody have any suggestions as to how we might fix this as I'm
> | stumped!
Reply to this Message
Will Holley - 26 Oct 2005 13:19 GMT
Steven,

Ignore the last post - it was a config issure in IIS. I now have the code
working perfectly with caspol off but turning on caspol gives me the
securitypermission exception again.

Will

> Steven,
>
[quoted text clipped - 147 lines]
> > | | Does anybody have any suggestions as to how we might fix this as I'm
> > | stumped!
Reply to this Message
Steven Cheng[MSFT] - 27 Oct 2005 10:31 GMT
Thanks for your followup Will,

So it is still a security issue. Have you tried the IE host log to see
whether it provide any further info on the security exception?

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: Security Exception in TslStream.EndRead
| thread-index: AcXaJ3LjPOy6O0tGSLqHx87cNlnYGw==
| X-WBNR-Posting-Host: 217.35.83.223
| From: "=?Utf-8?B?V2lsbCBIb2xsZXk=?=" <willholley@community.nospam>
| References:  <B0086DB9-9DF8-4A6E-8BA9-D29FFD6407DE@microsoft.com>
<A5RsnW7zFHA.2352@TK2MSFTNGXA01.phx.gbl>
<pZL4W1w0FHA.1144@TK2MSFTNGXA01.phx.gbl>
<0F82516C-C870-44B7-8CD9-6F1164357555@microsoft.com>
| Subject: RE: Security Exception in TslStream.EndRead
| Date: Wed, 26 Oct 2005 05:19:01 -0700
[quoted text clipped - 13 lines]
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:8170
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
[quoted text clipped - 157 lines]
| > > | | Does anybody have any suggestions as to how we might fix this as I'm
| > > | stumped!
Reply to this Message
Will Holley - 27 Oct 2005 13:45 GMT
Steven,

The IEHost log unfortunately provides no clue. It looks to me as thought the
security exception is happening in the framework code which we have no
control over. We assert the appropriate permissions to make the web request
but since the callback within the framework implementation is asynchronous
how would it get the permissions to execute in a partially trusted
environment? Peeking in with reflector, I see no evidence of permission
demands or asserts within TLSStream.EndRead.

Will

> Thanks for your followup Will,
>
[quoted text clipped - 3 lines]
> Steven Cheng
> Microsoft Online Support
Reply to this Message
Steven Cheng[MSFT] - 31 Oct 2005 09:36 GMT
Thanks for the response Will,

That'll be very hard to thoublshoot. What's the current permission set  you
grant to that control's assembly, FullTrust?
Also, due to the limitation of newsgroup, I'd recommend you consider
contacting PSS for further detailed troubleshooting if you feel this a high
priority issue.

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: Security Exception in TslStream.EndRead
| thread-index: AcXa9EN+DIvUXnlXSAuzAW1zYTruRQ==
| X-WBNR-Posting-Host: 217.35.83.223
| From: "=?Utf-8?B?V2lsbCBIb2xsZXk=?=" <willholley@community.nospam>
| References:  <B0086DB9-9DF8-4A6E-8BA9-D29FFD6407DE@microsoft.com>
<A5RsnW7zFHA.2352@TK2MSFTNGXA01.phx.gbl>
<pZL4W1w0FHA.1144@TK2MSFTNGXA01.phx.gbl>
<0F82516C-C870-44B7-8CD9-6F1164357555@microsoft.com>
<E5A4CB0D-8968-443D-B4AF-829D9F08F7AE@microsoft.com>
<uMh$xkt2FHA.1172@TK2MSFTNGXA01.phx.gbl>
| Subject: RE: Security Exception in TslStream.EndRead
| Date: Thu, 27 Oct 2005 05:45:08 -0700
[quoted text clipped - 13 lines]
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:8184
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
[quoted text clipped - 17 lines]
| > Steven Cheng
| > Microsoft Online Support
Reply to this Message
Will Holley - 31 Oct 2005 12:16 GMT
Steven,

Yes we are giving the assembly full trust - it looks completely symptomatic
of the bug in KB836989 - not KB823177 as i originally posted!

Will

> Thanks for the response Will,
>
[quoted text clipped - 66 lines]
> | > Steven Cheng
> | > Microsoft Online Support
Reply to this Message
Steven Cheng[MSFT] - 02 Nov 2005 04:15 GMT
Hi Will,

Yes, from the symptom of your problem , it is quite exactly the problem in
the KB article. So if necessary, you can submit a PSS support incident on
your problem and also refer to the KB article. If that's still the same
issue of the one in the kb, they shall help you fixed it (or maybe a
certain hot fix needed) by free.

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: Security Exception in TslStream.EndRead
| thread-index: AcXeDHv+lVxyIxYqQD+tpUO7Bc198g==
| X-WBNR-Posting-Host: 217.35.83.223
| From: "=?Utf-8?B?V2lsbCBIb2xsZXk=?=" <willholley@community.nospam>
| References:  <B0086DB9-9DF8-4A6E-8BA9-D29FFD6407DE@microsoft.com>
<A5RsnW7zFHA.2352@TK2MSFTNGXA01.phx.gbl>
<pZL4W1w0FHA.1144@TK2MSFTNGXA01.phx.gbl>
<0F82516C-C870-44B7-8CD9-6F1164357555@microsoft.com>
<E5A4CB0D-8968-443D-B4AF-829D9F08F7AE@microsoft.com>
<uMh$xkt2FHA.1172@TK2MSFTNGXA01.phx.gbl>
<286A747D-267B-465B-B6C4-A3F59C29EBA3@microsoft.com>
<itZXGZf3FHA.1172@TK2MSFTNGXA01.phx.gbl>
| Subject: RE: Security Exception in TslStream.EndRead
| Date: Mon, 31 Oct 2005 03:16:05 -0800
[quoted text clipped - 13 lines]
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:8203
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
[quoted text clipped - 75 lines]
| > | > Steven Cheng
| > | > Microsoft Online Support
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.