-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NET8 WcfClient (net-tcp binding) running on linux cannot be authenticated on WCF Server hosted on windows if UseManagedNtlm is set #99227
Comments
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones Issue DetailsDescriptionHello! I also tried to apply fix from #95725 but it doesn't work for me. Reproduction StepsHere is repository with reproduction solution and steps: https://github.com/AlexanderUsmanov/WcfClientNet8-issue Expected behaviorManaged NTLM working Actual behaviorManaged NTLM failing Regression?No response Known WorkaroundsUse unmanaged implementation which working just in case of OpenSSL version < 3.0 (because in OpenSSL with version 3 and higher md4 was marked as deprecated). ConfigurationClient:
Server:
WCF binding: net-tcp Other informationI have captures of traffic using both managed and unmanaged ntlm authentication over net-tcp
|
cc: @filipnavara |
Thanks. I have the issue on my radar. I was just preoccupied with other stuff and didn't get to analyze the data yet. |
So .NET 9, does not work either @AlexanderUsmanov e.g. #95725 is not sufficient? |
Note that Ubuntu 23.10 should have updated gss-ntlmssp (1.2.0-1) e.g. the native layer should work again with OpenSLL 3. |
I tested the sample with .NET 9 (P3 daily build) and it's not resolved. |
Unfortunately no. I tried to do following:
|
Triage: Tentatively set to 9.0 milestone. |
I'll have a look... but it may have to wait few days. |
Thank you, I don't think this issue is immediately urgent. In the worst case I can dig in it once I run out of higher priority tasks. |
I had a moment to analyze this in more detail. Turns out that the authentication succeeds with the Managed NTLM (verified both by Wireshark logs and Event Viewer) but the server replies with
I will have to dig on the .NET Framework side to figure out what parameters does it expect. Notably, the negotiation did end up negotiating both signing and encryption, NTLMv2, and ended up doing message integrity check. Cursory look indicated that could be related to SPN (which would easily be mismatched in my local setup that uses IP addresses) or impersonation level: |
I got a bit further, the Windows side rejects the authentication because of confidentiality level. It thinks that the negotiate authentication doesn't have encryption. Plot thickens. UPD: Upon re-reading the Wireshark trace, |
I managed to get the handshake working by fixing the negotiation of the |
I checked the fix on net8 and it works for me. Is it any chance to include it into net8? |
That would be taking #99909, right? .NET 8 does not have |
It doesn't have the SDK switch but it has all the functionality. The sample in the original post sets the switch at runtime through |
@wfurt what do you think about this fix being included in net8? I need this specifically in net8, since I can only use the LTS version of dotnet. |
Description
Hello!
I found problem while trying to connect to WCF service hosted on Windows over net-tcp connection using WCF client on linux with windows local user credentials. Problem occurs just when switch System.Net.Security.UseManagedNtlm is set to true. Otherwise it working on ubuntu 20.04. On ubuntu 22.04 and higher there is known issue with OpenSSL 3+ (see #67353) and in this case it working just with workaround described here #67353 (comment).
I also tried to apply fix from #95725 but it doesn't work for me.
Is it any chance to get fix for this problem on net8?
Reproduction Steps
Here is repository with reproduction solution and steps: https://github.com/AlexanderUsmanov/WcfClientNet8-issue
Expected behavior
Managed NTLM working
Actual behavior
Managed NTLM failing
Regression?
No response
Known Workarounds
Use unmanaged implementation which working just in case of OpenSSL version < 3.0 (because in OpenSSL with version 3 and higher md4 was marked as deprecated).
Configuration
Client:
Server:
WCF binding: net-tcp
Other information
I have captures of traffic using both managed and unmanaged ntlm authentication over net-tcp
Captures.zip
The text was updated successfully, but these errors were encountered: