Azure db-mirroring "Authentication failed because the remote party has closed the transport stream."

Hi everybody,

So I've been hammering at this db-mirror running in Azure (With database and service in the cloud) for a long time now and I've basically ran into a wall.

The error I'm getting is:

---

Current Operation: Mirroring table schemas

Authentication failed because the remote party has closed the transport stream.

---

 

The weird thing is that everything worked perfectly well when it was first setup, just to stop working about 6-8 hours later and hasn't worked since.

I'm at a loss here. 

RE: Azure db-mirroring "Authentication failed because the remote party has closed the transport stream."

Hi Johan, 

I think you need to tell us more about what you've done, to get any sensible answers back.

I've configured dbmirroring in Azure once, no problems other than a high bill from Microsoft.

Whenever we set up database mirroring we use the code from https://github.com/SuperOffice/devnet-database-mirroring, with no codechanges at all. Only changes are done to the configuration in web.config.

Av: Frode Lillerud 1. okt 2021

RE: Azure db-mirroring "Authentication failed because the remote party has closed the transport stream."

Hi Frode,

I have done everything according to your guide and some internal documentation. I also added the override for validating the token according to your github account.

The service was up and running for about 6 hours just to start erroring at 18:36 without any interaction from any body, so it's not like it never worked... It just stopped working without warning or explanation.

The other day I even did an entirely new project based entirely on your github-code (the previous codebase had some minor internal adjustments that we've documented from experience) and I still get the exact same error.

 

(And I now realize you're a partner and therefor with "your" I don't mean "your" but "SuperOffice's" :P )

Regards

Av: Johan Spånberg 5. okt 2021

RE: Azure db-mirroring "Authentication failed because the remote party has closed the transport stream."

To clarify,

The service is running as an azure application (not on a VM).

SSL/TSL settings are set to 1.2 in Azure

 

The SQL database is also running in Azure.

 

There is a forwarding address which works, you can visit the link and the service is reachable through it.

 

Everything was up and running until later the same night. No changes was done from our end when it stopped working.

Av: Johan Spånberg 7. okt 2021

RE: Azure db-mirroring "Authentication failed because the remote party has closed the transport stream."

To clarify,

The service is running as an azure application (not on a VM).

SSL/TSL settings are set to 1.2 in Azure

 

The SQL database is also running in Azure.

 

There is a forwarding address which works, you can visit the link and the service is reachable through it.

 

Everything was up and running until later the same night. No changes was done from our end when it stopped working.

Av: Johan Spånberg 7. okt 2021

RE: Azure db-mirroring "Authentication failed because the remote party has closed the transport stream."

Hi Johan,

I think the forum discussion about TLS1.2 applies in this respect. Several search results lead down that path...

I haven't tested this out, but you may be able to just set the protocol in the services constructor...

public MirroringClientService()
{
	if (ServicePointManager.SecurityProtocol.HasFlag(SecurityProtocolType.Tls12) == false)
	{
		// optionally remove TLS 1.0 and 1.1
		// ServicePointManager.SecurityProtocol &= ~(SecurityProtocolType.Tls | SecurityProtocolType.Tls11);
		ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
	}
}

Alternatively, enable TLS 1.2 via registry setting on service web server via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

This doesn't enforce 1.2, it just disables SSL3 and allows TLS 1.2 -- it also allows TLS 1.0 and 1.1, so you may want to download IICrypto tool to easily disable these settings at the server level.

 

Hope this helps.

Av: Tony Yates 10. okt 2021