[release/8.0] Fix NegotiateStream connections between Linux clients and Windows servers #102216
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…vers (dotnet#99909) * Send the NegotiateSeal NTLM flag when client asked for ProtectionLevel.EncryptAndSign. Process the last handshake done message in NegotiateStream. In case of SPNEGO protocol it may contain message integrity check. Additionally, if the negotiated protocol is NTLM then we need to reset the encryption key after the message integrity check is verified. * Add test for the NegotiateSeal flag * Fix the test * Dummy commit * Fix the new _remoteOk logic in NegotiateStream to fire only when HandshakeComplete. If HandshakeComplete is not true, then the authentication blob will get processed with the normal flow. * Fix the value of NegotiateSeal in the final authentication message of Managed NTLM
|
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones |
wfurt
approved these changes
May 14, 2024
There was a problem hiding this comment.
LGTM. Assuming this does not depend on any other 9.0 fixes.
cc: @filipnavara
|
This one is isolated. I would also like to backport the PR that fixed calculation of channel binding hash (#95898). |
|
/azp run runtime |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/ba-g Test failure is #96407 |
… into 99909-release-8.0
|
approved via email on 6/7 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual backport of #99909
Fixes #99227
Customer Impact
Reported by customer via official support channel - they need same behavior on Linux, which works also on Windows and on .NET Framework.
Customers were facing issues when connecting from Linux to Windows when using the
ProtectionLevel.EncryptAndSignvalue asNegotiateAuthenticationClientOptions.RequiredProtectionLevel. This scenario is common when connecting to WCF services hosted on Windows using WCF clients on Linux.The bug affects primarily Android clients -- that is where the Managed NTLM implementation is used. We also allow the Managed NTLM as opt-in on macOS and Linux which would be likewise affected if the developer chooses to enable the
System.Net.Security.UseManagedNtlmapp context switch (which is rare).Regression
No
Testing
Unit test was added. Validated by customer who reported the issue via official servicing channel.
Risk
Low; the modified code path is in platform specific code for a single authentication scheme. There is test coverage for the change.