Stack Trace: System.IO.IOException: Authentication failed because the remote party has closed the transport stream

Question

Yahoo! My tutorial AAD/WebApp can call my AAD/AzureFunc!

In this tutorial exercise, my development machine is hosting a Web App that is registered for authentication with AAD and it is calling a Azure Function also registered with AAD to require authentication.

I posted this stack trace previously but have since marked that issue resolved since the tutorial is now working. I still want to know what this stack trace means and if there is any merit to trying to resolve the issue that is causing this stack trace.

Here is the stack trace that appears on the console window created by "dotnet run". Please help me understand it:

  Failed to authenticate HTTPS connection.

System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken,
AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory1.FromAsyncImpl[TArg1,TArg2](Func5 beginMethod, Func2 endFunction, Action1 endAction, TArg1 arg1, TArg2 arg2, Object
state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions
creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
dbug: HttpsConnectionAdapter[1]
Failed to authenticate HTTPS connection.
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken,
AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__51_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory1.FromAsyncImpl[TArg1,TArg2](Func5 beginMethod, Func2 endFunction, Action1 endAction, TArg1 arg1, TArg2 arg2, Object
state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions
creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionAdapter.InnerOnConnectionAsync(ConnectionAdapterContext context)
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET https://localhost:5001/
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
Route matched with {action = "Index", controller = "Home"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult Index() on controller
WebApp_FunctionAPI.Controllers.HomeController (WebApp-FunctionAPI).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Executing action method WebApp_FunctionAPI.Controllers.HomeController.Index (WebApp-FunctionAPI) - Validation state: Valid
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action method WebApp_FunctionAPI.Controllers.HomeController.Index (WebApp-FunctionAPI), returned result Microsoft.AspNetCore.Mvc.ViewResult in 1.5903ms.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.ViewResultExecutor[1]
Executing ViewResult, running view Index.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.ViewResultExecutor[4]
Executed ViewResult - view Index executed in 1027.1479ms.

Answer 1

This error is generally related to the security protocol type. Usually either the application is allowing the wrong SSL protocol or your application's default security protocol type is being set too low. If your application is enforcing a newer TLS version while deployment pipelines (or anything else in your application) rely on an older TLS version, this can happen.

One solution I saw was to restrict the protocol only to the ones supported by the .NET framework and OS. The bad thing about this though is that when newer versions of TLS are released it requires you to also add those.

Snippet 1.0

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Answer 2

I have a VB.Net console app that has been running successfully for five years. This app uses OpenPOP to retrieve the contents of an Office 365 mailbox and save the attachments to a Windows Server network share. Starting last week, I am seeing the error "Authentication failed because the remote party has closed the transport stream" when connecting to the Office 365 server. This does not happen every time. The app runs via SQL Server Agent every five minutes and fails only several times per day. Some times it fails several times per hour, but other days it may not fail at all, but is become more frequent. The server is currently on .Net 4.5.2.

Example Code:

Dim client As New Pop3Client
System.Net.ServicePointManager.SecurityProtocol = Net.SecurityProtocolType.Tls12 ' I just added this, but it is not helping.
client.Connect("outlook.office365.com", 995, 1, 60000, 60000, New RemoteCertificateValidationCallback(AddressOf ValCert))
client.Authenticate("OPUserName", "OPPassword", AuthenticationMethod.UsernameAndPassword)
For i = 1 to client.GetMessageCount
...
...
Next
client.Disconnect()
client.Dispose()

Function ValCert(ByVal sender As Object, ByVal certificate As X509Certificate, ByVal chain As X509Chain, ByVal sslpolicyerrors As SslPolicyErrors) As Boolean
Return True
End Function

Beyond adding the explicit setting of TLS 1.2 I've not seen any other solutions to this issue. Any suggestions would be appreciated.

Full error:
10/5/2021 1:45:00 PM Type: I UMCAMail Start ---------------------------------
10/5/2021 1:45:00 PM Type: E Function Main - AppID: 0 Message: Authentication failed because the remote party has closed the transport stream. StackTrace: at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at OpenPop.Pop3.Pop3Client.Connect(String hostname, Int32 port, Boolean useSsl, Int32 receiveTimeout, Int32 sendTimeout, RemoteCertificateValidationCallback certificateValidator)
at UMCAMail.Module1.Main(String[] Args) in D:\arobins\Dropbox\ARF\Documents\Visual Studio Projects\Console Apps\UMCAMail\UMCAMail\Module1.vb:line 57

Answer 3

I moved the process to a test server running .Net framework 4.7.2 (the production server is running 4.5.2) and the error has not occurred since then (about 5 days). When I get a chance, I will upgrade the production server to 4.7.2 and move the process back to see if the problem is still resolved.

Answer 4

The process ran successfully without a single failure in a test .Net 4.7.2 environment for over two weeks. Yesterday, I moved it back to the production server, following installation of .Net 4.7.2. It has not failed since then. The changes I made from initial configuration were

1) Force TLS 1.2 by adding: "System.Net.ServicePointManager.SecurityProtocol = Net.SecurityProtocolType.Tls12" before the connect. Error still occurred after this.

2) Compile with .Net 4.7.2 versus 4.5.2. No error yet after about 16 hours.

I will continue to monitor.