Skip to content

Disable user mapper for SslStream on Windows #80886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 20, 2023
Merged

Disable user mapper for SslStream on Windows #80886

merged 1 commit into from
Jan 20, 2023

Conversation

@wfurt
Copy link
Member

@wfurt wfurt commented Jan 20, 2023

This is small perf improvement on Windows server connected to AD. Schannel by default (for legacy reasons) tries to resolve user identity by querying AD with provided client certificate. That allows to get user identity and/or server can impersonate the client. This would work if we use QuerySecurityContextToken function to retrieve it. (https://learn.microsoft.com/en-us/windows/win32/secauthn/mapping-certificates) But we don't (and caller cannot either) so this is complete waste.

The existing code was attempt to suppress it for the new scenario (as this also changes advertised CAs) and this change will just make it default. This can be re-visited in future if we want to support the scenario (windows only)

cc: @Tratcher @mconnew

fixes #78350

@wfurt wfurt requested a review from rzikm January 20, 2023 00:00
@wfurt wfurt self-assigned this Jan 20, 2023
@ghost
Copy link

ghost commented Jan 20, 2023

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

This is small perf improvement on Windows server connected to AD. Schannel by default (for legacy reasons) tries to resolve user identity by querying AD with provided client certificate. That allows to get user identity and/or server can impersonate the client. This would work if we use QuerySecurityContextToken function to retrieve it. (https://learn.microsoft.com/en-us/windows/win32/secauthn/mapping-certificates) But we don't (and caller cannot either) so this is complete waste.

The existing code was attempt to suppress it for the new scenario (as this also changes advertised CAs) and this change will just make it default. This can be re-visited in future if we want to support the scenario (windows only)

cc: @Tratcher @mconnew

fixes #78350

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Security, os-windows
Milestone: -

@wfurt
Copy link
Member Author

wfurt commented Jan 20, 2023

Spanish windows test failures are #74838

@stephentoub stephentoub merged commit 336ea79 into dotnet:main Jan 20, 2023
mdh1418 pushed a commit to mdh1418/runtime that referenced this pull request Jan 24, 2023
@wfurt @mdh1418
Disable user mapper for SslStream on Windows (dotnet#80886)
66489dd
@ghost ghost locked as resolved and limited conversation to collaborators Feb 19, 2023
@karelz karelz added this to the 8.0.0 milestone Mar 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@stephentoub stephentoub stephentoub approved these changes

@mconnew mconnew mconnew approved these changes

@rzikm rzikm Awaiting requested review from rzikm

Assignees

@wfurt wfurt

Labels

area-System.Net.Security os-windows

Projects

None yet

Milestone

8.0.0

Development

Successfully merging this pull request may close these issues.

SslStream.AuthenticateAsServer round trips to domain controller to map client certificate to user when domain joined

4 participants

@wfurt @stephentoub @mconnew @karelz