Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTM Authentication not working in .Net 5 #49434

Closed
marcino239 opened this issue Mar 10, 2021 · 11 comments
Closed

NTM Authentication not working in .Net 5 #49434

marcino239 opened this issue Mar 10, 2021 · 11 comments
Labels
area-System.Net.Http
Milestone
6.0.0

Comments

@marcino239
Copy link

Description

NTM Auth is not working in .Net 5. Ntlm auth works with on .Net Core 3.1 with CredentialCache and AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);

We use Net Core running on Azure AKS to talk to Windows Servers with NTLM auth. Password based SPNEGO was not tested.

Configuration

  • Which version of .NET is the code running on? .Net 5, .Net Core 3.1
  • What OS and version, and what distro if applicable? Ubuntu 18.04, Alpine 3.12
  • What is the architecture (x64, x86, ARM, ARM64)? x64

Repro

testntlm by @JeroenBer

Info

Creating new ticket as an addition to #887 as suggested by @wfurt here. Here's the table showing graphically what's going on:

Platform Use NetworkCredentials Use CredentialCache
Ubuntu 1804 .NET Core 3.1 FAIL Success
Ubuntu 1804 .NET Core 5.0 FAIL FAIL
@dotnet-issue-labeler dotnet-issue-labeler bot added area-System.Net.Http untriaged New issue has not been triaged by the area owner labels Mar 10, 2021
@ghost
Copy link

ghost commented Mar 10, 2021

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

NTM Auth is not working in .Net 5. Ntlm auth works with on .Net Core 3.1 with CredentialCache and AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);

We use Net Core running on Azure AKS to talk to Windows Servers with NTLM auth. Password based SPNEGO was not tested.

Configuration

  • Which version of .NET is the code running on? .Net 5, .Net Core 3.1
  • What OS and version, and what distro if applicable? Ubuntu 18.04, Alpine 3.12
  • What is the architecture (x64, x86, ARM, ARM64)? x64

Repro

testntlm by @JeroenBer

Info

Creating new ticket as an addition to #887 as suggested by @wfurt here. Here's the table showing graphically what's going on:

Platform Use NetworkCredentials Use CredentialCache
Ubuntu 1804 .NET Core 3.1 FAIL Success
Ubuntu 1804 .NET Core 5.0 FAIL FAIL
Author: marcino239
Assignees: -
Labels:

area-System.Net.Http, untriaged
Milestone: -

@ManickaP
Copy link
Member

AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);

This switch doesn't exist in .NET 5.0. The CurlHandler, and automatic usage of WinHttpHandler, have been removed. You're now using SocketsHttpHandler instead of CurlHandler you were using in 3.1 thanks to that switch. Which explains why you're observing different behavior. However, I know next to nothing about auth, so I cannot speak to that. @wfurt will know more, but he's been already summoned 😄

@wfurt
Copy link
Member

wfurt commented Mar 10, 2021

Do you have gss-ntlmssp installed @marcino239 That is prerequisite for Linux.

What failure do you get? Can you post exception? e.g. does it fail to authenticate and you get HTTP 40x or do you get any other errors?

@hez2010
Copy link
Contributor

hez2010 commented Mar 10, 2021
edited
Loading

How about forcing HttpClient to use HTTP/1.1?
NTLM doesn't support HTTP/2.

In your test code:

var httpRequest = new HttpRequestMessage()
{
    Method = HttpMethod.Get,
    RequestUri = new Uri(url),
+    Version = new Version(1, 1)
};

@ManickaP
Copy link
Member

Triage: we should look into it.

@ManickaP ManickaP removed the untriaged New issue has not been triaged by the area owner label Mar 11, 2021
@ManickaP ManickaP added this to the 6.0.0 milestone Mar 11, 2021
@alexirion10
Copy link

I'm having the same issue:
ubuntu container, dotnet5, gss-ntlmssp installed

2021-03-26T19:11:00.234304Z app[web.1]: System.AggregateException: One or more errors occurred. (GSSAPI operation failed with error - An unsupported mechanism was requested. NTLM authentication requires the GSSAPI plugin 'gss-ntlmssp'.)
2021-03-26T19:11:00.234345Z app[web.1]:  ---> System.ComponentModel.Win32Exception (0x80090020): GSSAPI operation failed with error - An unsupported mechanism was requested. NTLM authentication requires the GSSAPI plugin 'gss-ntlmssp'.
2021-03-26T19:11:00.23436Z app[web.1]:    at System.Net.Security.NegotiateStreamPal.AcquireCredentialsHandle(String package, Boolean isServer, NetworkCredential credential)
2021-03-26T19:11:00.234368Z app[web.1]:    at System.Net.NTAuthentication.Initialize(Boolean isServer, String package, NetworkCredential credential, String spn, ContextFlagsPal requestedContextFlags, ChannelBinding channelBinding)
2021-03-26T19:11:00.23438Z app[web.1]:    at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
2021-03-26T19:11:00.234393Z app[web.1]:    at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
2021-03-26T19:11:00.234405Z app[web.1]:    at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
2021-03-26T19:11:00.234428Z app[web.1]:    at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2021-03-26T19:11:00.234444Z app[web.1]:    at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
2021-03-26T19:11:00.234461Z app[web.1]:    at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)

example code snip

var httpClient= new RestClient("uri")
{
   Authenticator = new NtlmAuthenticator("username", "password")
};
httpClient.Execute(...);

@wfurt
Copy link
Member

wfurt commented Mar 26, 2021

What is NtlmAuthenticator @alexirion10? Can you post simple HttpClient repro with container? If not at least do packet capture.

@alexirion10
Copy link

alexirion10 commented Mar 26, 2021
edited
Loading

https://github.com/restsharp/RestSharp/blob/dev/src/RestSharp/Authenticators/NtlmAuthenticator.cs#L23

var uri = new Uri("http://.........");
var networkCreds = new NetworkCredential("username", "password");
var credentialsCache = new CredentialCache { { uri, "NTLM", networkCreds } };
var handler = new HttpClientHandler { Credentials = credentialsCache };
var httpClient = new HttpClient(handler) { BaseAddress = uri };
var response = httpClient.GetAsync(".....").Result;
return response.Content.ReadAsStream();

@wfurt
Copy link
Member

wfurt commented Mar 26, 2021

Yah, the should work. We will need some more info or repro to diagnose @alexirion10.

@wfurt
Copy link
Member

wfurt commented Mar 26, 2021

note if you don't want to share data here, send email to my GH address @alexirion10

@karelz
Copy link
Member

karelz commented May 4, 2021

Closing as there is not enough data to make it actionable. Feel free to reopen if/when there is something we can work with. Thanks!

@karelz karelz closed this as completed May 4, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Jun 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Net.Http
Projects
None yet
Milestone
6.0.0
Development

No branches or pull requests
6 participants
@karelz @marcino239 @ManickaP @alexirion10 @wfurt @hez2010