Udostępnij za pośrednictwem


ServiceBus 1.1 stops responding when TLS 1.0 is disabled.

Symptom:

After applying a recent Windows Security patch, you may find that Service Bus for Windows Server 1.1 is unresponsive. The services may not start. Or if the services do start, they do not respond to client requests.

Analysis:

ServiceBus 1.1 utilizes Windows Fabric Service 1.0 internally. We found the failure is on activating fabric runtime through debugging.

Debug log:
======================
0:008> !pe
Exception object: 0000001f3a901870
Exception type: System.InvalidOperationException
Message: The operation is invalid.
InnerException: System.Runtime.InteropServices.COMException, Use !PrintException 0000001f3a8fa4b0 to see more.
StackTrace (generated):

StackTraceString:
HResult: 80131509
0:008> !PrintException /d 0000001f3a8fa4b0
Exception object: 0000001f3a8fa4b0
Exception type: System.Runtime.InteropServices.COMException
Message: Exception from HRESULT: 0x80071BFD
InnerException:
StackTrace (generated):
SP IP Function
0000002160ECEDC0 0000000000000000 UNKNOWN!System.Fabric.Interop.NativeRuntime.FabricGetActivationContext(System.Guid ByRef)+0x1
0000002160ECEEB0 00007FF9EB80AA1B UNKNOWN!System.Fabric.FabricRuntime+NativeFabricRuntimeFactory.GetCodePackageActivationContextHelper()+0x3b
0000002160ECEF00 00007FF9EB8071FD UNKNOWN!System.Fabric.Interop.Utility.WrapNativeSyncInvoke[[System.__Canon, mscorlib]](System.Func`1, System.String)+0x7d

Also, we found TLS 1.0 is disabled by the Windows security patch under the following registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Conclusion:

After discussing with Windows Fabric production group, they do confirm that Windows Fabric 1.0 depends on TLS 1.0 but the new Fabric 2.0 has removed this dependency. Hence ServiceBus 1.1 won't work with TLS 1.0 disabled. Since Workflow Manager 1.0 utilizes ServiceBus 1.1 as well, WFM will also be impacted.

The solution is to re-enable TLS 1.0 in registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Best regards,
WenJun Zhang