WCF: Unable to add service reference - System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission' failed" - after installing KB 2938782
Issue:
Client app: Console Application running with Partial Trust
Functionality broken: Add Service Reference for SSL hosted web service
Error:
System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed"
Important condition:
Affected box has the following KB installed: KB 2938782
Comparison with working box:
In the “Working” trace, we found that the SchUseStrongCrypto is set to 0, however for the failing trace it is set to 1
SchUseStrongCrypto:
https://blogs.msdn.com/b/tdevere/archive/2014/11/11/ssl-handshake-clienthello-receives-encrypted-alert.aspx
SchUseStrongCrypto
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379810(v=vs.85).aspx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
Instructs Schannel to disable known weak cryptographic algorithms, ciphersuites, and SSL/TLS protocol versions that may be otherwise enabled for better interoperability.
STACK TRACE captured from failure IDNA:
0:000> kc
Call Site
kernelbase!RaiseException
clr!RaiseTheExceptionInternalOnly
clr!IL_Throw
mscorlib_ni!System.Security.CodeAccessSecurityEngine.ThrowSecurityException(System.Reflection.RuntimeAssembly, System.Security.PermissionSet, System.Security.PermissionSet, System.RuntimeMethodHandleInternal, System.Security.Permissions.SecurityAction, System.Object, System.Security.IPermission) mscorlib_ni!System.Security.CodeAccessSecurityEngine.CheckHelper(System.Security.PermissionSet, System.Security.PermissionSet, System.Security.CodeAccessPermission, System.Security.PermissionToken, System.RuntimeMethodHandleInternal, System.Object, System.Security.Permissions.SecurityAction, Boolean) clr!CallDescrWorkerInternal clr!CallDescrWorkerWithHandler clr!DispatchCallDebuggerWrapper clr!DispatchCallSimple clr!SecurityStackWalk::CheckPermissionAgainstGrants
clr!DemandStackWalk::CheckGrant
clr!DemandStackWalk::WalkFrame
clr!Thread::StackWalkFrames
clr!DemandStackWalk::DoStackWalk
clr!SecurityStackWalk::Check_StackWalk
clr!SecurityStackWalk::Check_PLS_SW
clr!SecurityStackWalk::SpecialDemand
clr!SecurityDeclarative::DoDeclarativeActions
clr!DoDeclarativeActionsForPInvoke
clr!StubHelpers::DemandPermission
system_configuration!DomainBoundILStubClass.IL_STUB_PInvoke()
system!System.Net.RegistryConfiguration.GetAppConfigValueName()
system!System.Net.RegistryConfiguration.AppConfigReadString(System.String, System.String)
system!System.Net.ServicePointManager.EnsureStrongCryptoSettingsInitialized()
system!System.Net.TlsStream.ProcessAuthentication(System.Net.LazyAsyncResult)
Workaround:
- Setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto to 0.
- Migrate to .Net Framework 4.6.
- If above two version not possible, request for hot fix from MS, refer following internal hot fix number: 3064715
Hope this help !