I’m getting this SecurityNegotiationException on one of the environments I’m deploying to. The setup on this environment is basically identical to another one where deployment is working. I’ve created an exception in the firewall on this machine in addition to completely turning the firewall off. I’ve tried both the name of the machine on the network as well as the IP address (both with the 10933 port). I’ve copied the certificate from the Octopus server to the Tentacle’s configuration multiple times, but I’m still getting this error. Have you encountered any other reasons why this might arise?
2011-09-06 21:22:00 ERROR System.ServiceModel.Security.SecurityNegotiationException: Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint. —> System.ServiceModel.FaultException: The request for security token has invalid or malformed elements.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
Thanks Zach, I’ll add some better diagnostics to this tonight and
hopefully we can figure it out. Sorry for the inconvenience.
Paul
Hi Zach,
The reasons you mentioned - bad IP address, firewall, incorrect certificates are usually the problem.
Can you check the event logs on both the Tentacle and Octopus? When security negotiation fails both services should log the reason for the failure.
Paul
That was helpful. I’m not sure why I didn’t check the log yesterday. Here’s the error on the tentacle machine:
- Rejected communication because it was signed with the wrong certificate; the public key of the certificate was:
I suspected that that was the problem and copied the certificate from the server tool to the tentacle, “Installed Certificates”, and restarted the service multiple times. No luck.
The strange thing is that every time I open the Tentacle Configuration, a different certificate value appears in the textbox. For instance, it’s
MIIBMTCB3KADAgECAhAU1KVqX1aSlE2ruoafHotEMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDk9jdG9wdXMgUG9ydGFsMCAXDTExMDgxNDA1MDAwMFoYDzIxMTEwODE1MDUwMDAwWjAZMRcwFQYDVQQDEw5PY3RvcHVzIFBvcnRhbDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCrf/0Vpxl3kfwYFwRxaPLv7R/vPv0YN0RbVjcE6RKgpXVUYV2SjOxViN9FOf7zQK24Pmuv3ZqdMFUFKyyYrhSbAgMBAAEwDQYJKoZIhvcNAQEFBQADQQClD6jGONlti+hTLn+YjGG99qCKwe2JSTHopLfYfOmdC76qnuc1wjgBSEHxNehSxUX0qhwPflOlcqUFKvrIpXL/,MIIE0gIBAzCCBJIGCSqGSIb3DQEHAaCCBIMEggR/MIIEezCCAqQGCSqGSIb3DQEHAaCCApUEggKRMIICjTCCAokGCyqGSIb3DQEMCgECoIIBljCCAZIwHAYKKoZIhvcNAQwBAzAOBAiKNf1zbxYRmAICB9AEggFwT2GaAS0zPJVBYVptngC571DDCkkClfiPVCbJttNcOVOyVK8AUCf2PzqywPqVNtztOWmA3xEeb6+hQpltj1XCQmTSh/FReRXd9vkrKO7QhY5faem+0RDBcltr3yB3K11NtsBd84wZjp9C7/WhWfcS/qwHHyBDYCciNKJsETAR0fhOK7mVHYondeiVai+1kCpUKOtRkKetFMGjFNrQlzUQeYqH+yAaWt8i+eOizaw8r0KF+NlhN8EAAsC45/7zbRyrV4+DaXA4Yoa99gYvvP489jevFqTYjfkScKt6wJT2RiDc9P0WCnLVw7K5tpKCzF0UYfom7ok9b6JEpMxwwuabhf4qrHeKJFF2Qym7aT76nxj/h2SIUcOFyFh0Ir8qwqoav/h5JKzTEwRJUpZgYOQCP4s8p4RXaU3PWKiPrfGOap5/qiqz3rwnMndeXHrjxdazcvzLjT8IzLugKMl+CNqM/GkeTg+xGFwHf9ijWcrb/uMxgd8wEwYJKoZIhvcNAQkVMQYEBAEAAAAwWwYJKoZIhvcNAQkUMU4eTAB7ADEAMgBDAEEANwBGADgARgAtADkAOQA1AEQALQA0ADgAQwA2AC0AOQBDADYANQAtADMAOQA2ADUAOAA3ADcARgAyADUANAA5AH0wawYJKwYBBAGCNxEBMV4eXABNAGkAYwByAG8AcwBvAGYAdAAgAEUAbgBoAGEAbgBjAGUAZAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIAIAB2ADEALgAwMIIBzwYJKoZIhvcNAQcGoIIBwDCCAbwCAQAwggG1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBBjAOBAhc5qIf3w6UOgICB9CAggGIRYcDuNyVmem4EJEd9y85NUNkQBVeEh2R2tZoSIpj/rCAvFCQntheRf/db5oKVx9i+Om6XXKEKqSX5X3HTB0BOhMXsRI6Q0yIk2ZfebH673tE9ASs+htdp3oTPiujbzJYuD1IUfzMPmc/th/eAA0bJq4zQr9HzIZcMChvvn13V8/gWGOEznUJSGDpl3UtLV4PK0IIwjHBha82r985++iHoxNGiZOUaCfUGRbmTYmiabsBU+7FuyhFBqVZQrBtTrNuneX7fiBd18/LFF/SamEhSJDiReLWbDaieHnhLluroVH+lNLy5PuPXdN2oJ5zFl/31YPXYPMxrubXpu2HGXBOzb1rkAE2rmJvT6AA2s/ZcpdAXzy4BkOYSAEQQHv6hvqvTFKaeCZf37qFacngw4LiA5abdG5XXxfjuElnfeEBpZN38uL1/A7jbRgZVuqyO0hSPzZnKwRbfjn9mBLkcxPwVDjYlRXuiUKp44NnHD55m8vIp8JiGdACK8JOqK0NUuOWXi99ocTbaiswNzAfMAcGBSsOAwIaBBRB8D7wKLGYFmjiXCm/1h2MGiHOCAQUSayexPEljkKM6ihYU3HtepVT974=
Now. But when I close and reopen, the value is:
MIIBMTCB3KADAgECAhAU1KVqX1aSlE2ruoafHotEMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDk9jdG9wdXMgUG9ydGFsMCAXDTExMDgxNDA1MDAwMFoYDzIxMTEwODE1MDUwMDAwWjAZMRcwFQYDVQQDEw5PY3RvcHVzIFBvcnRhbDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCrf/0Vpxl3kfwYFwRxaPLv7R/vPv0YN0RbVjcE6RKgpXVUYV2SjOxViN9FOf7zQK24Pmuv3ZqdMFUFKyyYrhSbAgMBAAEwDQYJKoZIhvcNAQEFBQADQQClD6jGONlti+hTLn+YjGG99qCKwe2JSTHopLfYfOmdC76qnuc1wjgBSEHxNehSxUX0qhwPflOlcqUFKvrIpXL/,MIIE0gIBAzCCBJIGCSqGSIb3DQEHAaCCBIMEggR/MIIEezCCAqQGCSqGSIb3DQEHAaCCApUEggKRMIICjTCCAokGCyqGSIb3DQEMCgECoIIBljCCAZIwHAYKKoZIhvcNAQwBAzAOBAi9+vPrXwmVNwICB9AEggFw4YYH0N+SgEZSZeERoRmAEn+rsupzxsgkhviVKZCG4BLl5fNOcF2D4zGIH+PPRWsP3JvKmpM9XcrB6TVHv58eYuyKq3vwZT9kSDAKPxeanKZYcnCFzuPeb8At5oH9w2MprZtZ+gpGaNuBvliS6X3FCjJ8+1A3KWWFS8DoPr8BP1rVkLocGCuRmuOHMgxR0/ECNGDsMAAh2edTLTcBpE58+jKNn/Thyhxz5A+oRCsUfAvTgk53hyPzxsUGNYHx3j+LbtV1rqoOEjrS6lPc9cP1XlXGyaqMZsZUjI6hTfkHrGwaMEe2Ff+snUBIjCYyrs77S2mf0Bl8AIrP50f/XfHhIkoZHlTg8187FHVy0YK5hlUQrhNx+o6fb2omQMvR80qYFzPhcpm3iJn09XLsHl+HbJXfKq3l8B+oHVKA9Y3HHCEd56sWH56dJvXl8euI1SdUOJoUNhJyCb/vqiVDTtJ/DQW0A4XtuFquSb+yqK5FyAoxgd8wEwYJKoZIhvcNAQkVMQYEBAEAAAAwWwYJKoZIhvcNAQkUMU4eTAB7AEQAMABDAEMAMQBBADkARQAtADEAOQAwAEMALQA0AEYAMAAyAC0AQQA5ADcAMgAtADUAMQBGADgAQQAyADUAMwBGADUAMwAzAH0wawYJKwYBBAGCNxEBMV4eXABNAGkAYwByAG8AcwBvAGYAdAAgAEUAbgBoAGEAbgBjAGUAZAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIAIAB2ADEALgAwMIIBzwYJKoZIhvcNAQcGoIIBwDCCAbwCAQAwggG1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBBjAOBAhAiSF8zmp8EgICB9CAggGIo0g1+9plmWg/Yx41izr+H30+AynkPBpkpepkIPRbAfhWoDjr8X8TszslWJ+x8rLCPz/cfNXUXVV0v1Gft5I/cm+fiTwZc8A79A5FYUEHYNQfz2LrrhhgLGKz8APsmHq3Ie3FZ5icUzq9fUk1KILhSzvMXKv5qCcje6DdOGchvLmAIY6bgzCX/vAfsaTzh+yRv9frn52ged4/UEGtTF/gwLbxHgGZBdKOfF3089DfYKBKqzfze4lgfKPRdRJ3reWc0unW01Dmz2YTH/GyUspvCiG7L2aUzr+/Zz7FQQYAkAmdYj4TOWJXRagkLi8StvkkEKZDns+XjF4bbIdSn6IHucfcJMrgmAOzDDC+s5fTipi49xsMcIJdFhHY7EewR1EJ2zcTJK6TiFbsgFcqIoqrvRXct7Zr8vNZehSuxL64/KNOB7h4++SZ7U0Hz1lbQtWeXvygaW73sDAPMdA2x4gnWT2aWgz9QPmcPwLC/fyBX3bKAjT+aC7sto0g8/Z/PkGOYq0YI1gWERUwNzAfMAcGBSsOAwIaBBR/7iNwBHZleiup1gG0NBaCVzZNtQQUIcLECKwJpWoEgH1ScgOm5LY7Hz0=
Shouldn’t the value stay the same until a install a new certificate?
Hi Zach,
After pasting the value in, do you click the button to save it? Perhaps
check that the user accout you run the tool with is a local admin on
the box.
Paul
From: Zachary Rankaitis(TT)
Sent: Wednesday, 7 September 2011 8:46 PM
To: paul@octopusdeploy.com
Subject: Re: SecurityNegotiationException on Deployment [Problems]
Yeah. I just reinstalled the Tentacle and still got the error after pasting in the certificate from the server. The Tentacle config tool still have a certificate value listed in it after I did the uninstall and reinstalled, which was strange. Apparently the uninstall doesn’t wipe it. I also tried generating a new certificate on the server and using that. No luck.
Hi Zach,
My apologies, the installer won’t wipe the registry entry - it’s by design
so you don’t lose the key when upgrading, sorry I forgot.
Using Regedit, can you check the contents of HKLM/Software/Octopus? There
should be two Cert= lines. Uninstall Tentacle, delete those two entries, and
then install Tentacle again, and paste in your new key after the
installation. Let’s see if that fixes it.
Also, Is this a 64 or 32 bit build of Windows?
Regards,
Paul Stovell
Hi Zach,
I know what the problem is in the Tentacle installation tool - if the
certificate is installed already it won’t re-install it. There’s actually a
reason for that - if Octopus and Tentacle are run on the same machine, you
don’t want one to override the other (since the Octopus has both private
keys, the tentacle only gets one).
I do it by matching the certificate thumprints which happen to match in this
case, so they are not overridden. I’m working on a rewrite of the
installation tools at the moment, which will include a fix for this problem.
For now, deleting the two Cert- entries in the registry
(HKLM/Software/Octopus) will fix the problem.
Sorry for the inconvenience!
Regards,
Paul Stovell
On Thu, Sep 8, 2011 at 10:48 PM, Paul Stovell paul@octopusdeploy.comwrote:
Hi Zach,
My apologies, the installer won’t wipe the registry entry - it’s by design
so you don’t lose the key when upgrading, sorry I forgot.
Using Regedit, can you check the contents of HKLM/Software/Octopus? There
should be two Cert= lines. Uninstall Tentacle, delete those two entries, and
then install Tentacle again, and paste in your new key after the
installation. Let’s see if that fixes it.
Also, Is this a 64 or 32 bit build of Windows?
Regards,
Paul Stovell
On Thu, Sep 8, 2011 at 10:32 PM, Zachary Rankaitis(TT) <
tender2+da920137b50276f34f29cb62c2d6e03a1b72f6ef6@tenderapp.com> wrote:
This actually didn’t work. I’m not sure why, either. I uninstalled the broken tentacles, deleted the two certificates from those machines, then reinstalled with the certificates from the server. Didn’t work. I then copied the two certificate values in the registry of the server to the registry of the tentacle and that didn’t work either.
Ok. I cleared out the registry on client and server and reinstalled with the latest version of each, with all new certificates and it’s working again.
Hi Zachary,
Thanks for letting me know, I can’t work out why it wouldn’t have worked the
first time you deleted the certificates. I’ll release a new version tonight
with a fix in the setup tools that forcibly deletes the registry keys. Sorry
again for all the hassle this caused you.
Regards,
Paul Stovell
Hi Zachary,
I feel like a total n00b - I thought the problem was down to the thumbprints
matching, but it was actually a much simpler issue - I forgot to Close() a
registry key after writing to it, so the value was never persisted!
There will be a new build in a couple of hours with a fix.
Regards,
Paul Stovell
On Fri, Sep 9, 2011 at 6:13 PM, Paul Stovell paul@octopusdeploy.com wrote:
Hi Zachary,
Thanks for letting me know, I can’t work out why it wouldn’t have worked
the first time you deleted the certificates. I’ll release a new version
tonight with a fix in the setup tools that forcibly deletes the registry
keys. Sorry again for all the hassle this caused you.
Regards,
Paul Stovell
On Fri, Sep 9, 2011 at 5:24 PM, Zachary Rankaitis(TT) <
tender2+da920137b50276f34f29cb62c2d6e03a1b72f6ef6@tenderapp.com> wrote:
Hi Zach,
Thanks for being on the call today, it was great to chat with you.
This build contains a fix for the registry issue:
Paul