Dns.GetHostAddressesAsync fails with SocketException when called during impersonation #29935
Comments
|
cc: @kouvel @stephentoub @danmosemsft |
|
ASP.NET Core does not do any impersonation, a user has to do it manually by calling WindowsIdentity.RunImpersonated. Do you mean how the WindowsIdentity is created? It's created from a handle provided by Http.Sys, IIS, or NTAuthentication. |
Yes. Thanks for clarifying that ASP.NET Core doesn't control how the identity token handle is created. It is made from http.sys. So,this further reinforces the severity of this issue in that WindowsIdentity.RunImpersonated() is behaving differently on .NET Core compared with .NET Framework. Issue #29351 is being caused as a direct result of this issue. |
|
@Tratcher wanted to but couldn't get to this. I will have to pick it up after the 4th holiday. |
|
@brentschmaltz did you get chance to look at it? Are you going to fix it for 3.0? (i.e. in next few days) @Tratcher is it blocker for 3.0? |
Not blocking for 3.0 as this wasn't a regression. It may be a patch candidate for 2.2 (and 3.0) depending on the fix. |
|
Moving to 5.0 since I don't believe this currently meets the bar. |
|
I have a similar issue in that exceptions thrown inside the Action supplied to RunImpersonated can't be caught. May be this is related? |
|
Looks like it is working for IP address but not working on hostname. |
|
@davidsh you mentioned that GetAddrInfoExW is making an async call where before we didn't. I wonder if GetAddrInfoExW is sensitive to the impersonation token of the calling thread, and the DNS code isn't flowing the impersonation token to the continuation/EndGetHostAddresses thread? Related: https://github.com/dotnet/corefx/issues/24977. It's not clear to me why we're blaming RunImpersonated for this when we said that we didn't call GetAddrInfoExW on .NETFramework. Is it possible that the implementation of GetHostAddressesAsync |
It's possible but I haven't done any further investigation on this. |
maryamariyan
added
the
untriaged
|
I'm not 100% positive it's the same issue, but it sounds similar. Inspecting the problem with ProcMon and WireShark showed, that there is no attempt made to get the S4U-Token in such a way it would be acceptable by the target server. The older application will make an KRB5 request which fails due to pre-auth and then go on and issue an KRB5 request which proceeds and creates the needed token. |
|
I second this issue. I'm having to rewrite our .NET Core application back to .NET Framework solely because of this bug - our entire implementation relies on this working. |
|
FYI: We removed async from our impersonated calls with no luck. |
Yes, that would be helpful. It would allow us to diagnose it faster. |
|
Okay I have an application which repros the problem, but the environment needs to be properly configured (btw. running locally is also messy, since it won't load DLLs correctly on non admin accounts). What do you need:
The unexpected error for me was:
If you'd like to: my machine is setup and I can access it with you via Teams or something similar. |
|
Windows Authentication in .net core does indead not seem to work as in full framework. |
|
@bartonjs do you know what the root cause is? |
|
@brentschmaltz I don't, no. But I don't know anything about impersonation. I believe that the hope is that you would tell us 😄. |
|
This issue is blocking a number of customers from moving to core. Is it possible to backport to 3.1 as that is the LTS branch? |
ghost
added
the
in-pr
|
I submitted fix to 6.0 branch. It would be great if interested users can give it try and provide feedback: https://github.com/dotnet/installer |
|
@danmosemsft what is the process & bar for backporting to 3.1? |
|
@karelz same template, same label, but of course the PR is against corefx repo. The bar is higher, but multiple customers blocked from moving to Core is a strong argument. This seems worth a try. If it is ready for tactics tomorrow it might be possible to merge it by Friday which is the cutoff for Febuary. |
|
They would strongly prefer that we have a customer who has tried out the privates though. |
|
The reason to back port to 3.1 is that is the LTS version, and many customers need to be on the version that will get them long term support. I will reach out by email to the customer. |
|
It would be good to understand whether it is important to get it out quickly, as well. If February is not necessary, you have an extra month for a customer to validate the change. |
|
I would rather wait until we get validation of privates -- @wfurt what do you think? |
|
either way is fine. I think it would be nice to get some feedback before we rush to 3.x. It is broken for very long time so I doubt one month would really matter. Also for the record, the discussion with Windows team is still going on and OS fix may or may not be available. |
ghost
removed
the
in-pr
|
I have taken the release 5.0.3 and i am trying to run this code in IIS with Network service account. and Network service account has access on shared location. i am getting this error NT AUTHORITY\NETWORK SERVICE Could not find a part of the path 'z:\a.txt'. Am i Missing some thing? i though now it should work. [HttpGet]
public string Get()
{
WindowsIdentity current = WindowsIdentity.GetCurrent();
string message = current.Name;
try
{
WindowsIdentity.RunImpersonated(current.AccessToken, new Action(() => message+= System.IO.File.ReadAllText("z:\\a.txt")));
}
catch (Exception exception)
{
message+=exception.Message;
}
return message;
}
|
|
@som-nitjsr this bug fix was about DNS not working. Your code seems to be unrelated. Or am I missing something? |
|
I am good now this code in working by using UNC path. |
|
there is no plan for 3.1 right now AFAIK @som-nitjsr. You can try to talk to @karelz and @samsp-msft about business impact. |
|
Does anyone know since when this has been broken? I recently moved from 2.1 to 3.1 and now realised this is not working correctly. I'm not sure if this was working on 2.1 and I can't go back so easily just to test this. I remember successfully trying this longer ago on 2.1 but I might have been using an IP address and therefore unknowingly avoiding this problem. |
Since (including) 2.1. |
|
Are there any news about 3.1? Is there maybe any workaround for this at least? |
|
@Bonsai11 the easiest workaround is to use .NET 5.0.3+ ... or I wonder if you can go back to using IP which worked for you on 2.1 as you mentioned above. If you need 3.1 backport, we would need business justification - how much impact is it on your service/app (number of customers impacted, size of the service, importance of the scenario, etc.) and why 5.0 is not an option for you. |
ghost
locked as resolved and limited conversation to collaborators
and others
It seems that WindowsIdentity.RunImpersonated() works differently in .NET Core compared with .NET Framework. This is causing a variety of issues including one affecting ASP.NET Core, #29351.
There is some difference in the way that the identity token permissions are getting set on the impersonated token. This is causing "access denied" issues in a variety of ways.
Consider the following repro program included in this issue.
Program.cs
ImpersonateTest.csproj
To demonstrate the repro, create a local machine account (different from the one you use to run this repro) on the Windows machine. It doesn't matter if it belongs to the "Administrators" group or not.
On .NET Framework, the repro works fine with either LOGON32_LOGON_INTERACTIVE or LOGON_TYPE_NETWORK being used to create the impersonated identity. But .NET Core shows a variety of problems with using LOGON32_LOGON_INTERACTIVE. This repro is a simplified version of the ASP.NET Core issue #29351 which is presumably using a logged on identity similar to LOGON32_LOGON_INTERACTIVE.
The problems on .NET Core are the same using .NET Core 2.2 or .NET Core 3.0 Preview 6.
There are three tests in this repro. In one case, the System.IO.FileLoadException is not even catch'able. In my repro here, I have created a secondary Windows account called "test1".
Success case:
Failure case:
In the RunSocketsHttpHandlerTest() and RunDnsTest(), the error:
is being caused by the Win32 API GetAddrInfoExW() returning WSATRY_AGAIN error. This error is occurring immediately after calling the API. .NET Core is using GetAddrInfoExW() instead of GetAddrInfoW() because the former supports async (via overlapped callback). The GetAddrInfoW() API doesn't seem to be affected. .NET Framework doesn't use GetAddrInfoExW() so it isn't affected. I suspect that GetAddrInfoExW() is returning WSATRY_AGAIN due to the same access permissions problem running in the WindowsIdentity.RunImpersonated() context.
We also have #28460 which is a related problem with impersonation where DNS resolution is not working. That's probably due to the same GetAddrInfoExW() problem here.
This seems like a compatibility break from .NET Framework in how WindowsIdentity.RunImpersonated() behaves.
The text was updated successfully, but these errors were encountered: