Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible regression in new UseSocketsHttpHandler when .NET Core 2.1 application is configured to use a proxy on Windows 64-bit #27431

Closed
juliobbv opened this issue Sep 19, 2018 · 8 comments
Labels
Milestone

Comments

@juliobbv
Copy link

Hi all,

@TingluoHuang and I (both MSFT employees) are working on updating our Azure Pipelines agent (AKA VSTS agent) to use .NET Core 2.1 (from 2.0). During our testing, we detected a regression in our config scenario against a TFS on-premises instance when a proxy that requires client authentication (like Fiddler) is used.

Our application has the ability to pass in the proxy information via configuration settings, which are then passed in to the .NET Core library to make HTTP requests. This works fine on .NET Core 2.0, but fails on 2.1 when using the default UseSocketsHttpHandler with the following error:

TF400813: Resource not available for anonymous access. Client authentication required.

We were able to work this issue around by falling back to using the legacy HTTP handler, by adding the following line to both our agent worker and listener:

AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);

I'm attaching a Fiddler trace as a reference: corefx.zip. Sessions 1-25 represent a failed config with the new HTTP handler, while sessions 27-52 represent a successful config with the old HTTP handler.

Let us know if you need more info from our side to find out the root cause of this issue.

@rmkerr
Copy link
Contributor

rmkerr commented Sep 19, 2018

Hey @geoffkizer, does this look like one of the existing proxy issues you were working on?

@karelz
Copy link
Member

karelz commented Sep 20, 2018

@juliobbv are you able to test it with latest 2.1.x servicing bits (the unreleased 2.1.5 ideally). We had multiple proxy fixes going in. It would help us verify that your scenario is also addressed with latest bits. Thanks!

@juliobbv
Copy link
Author

juliobbv commented Sep 20, 2018

@karelz sure, I'm retrying the same scenario with SDK Version 2.1.403-servicing-009280. Let see how it goes.

@juliobbv
Copy link
Author

Unfortunately, the agent runs into the same issue with the unreleased 2.1.5 bits 😟, same error message and fiddler trace pattern.

@karelz
Copy link
Member

karelz commented Sep 20, 2018

Are you able to isolate the repro into a minimal repro that we can look at / troubleshoot via logs?

@geoffkizer
Copy link
Contributor

From looking at the Fiddler logs, it appears that the proxy isn't sending the "Proxy-Support: Session-Based-Authentication" header, so we don't proceed with authentication, and you get a 401.

Note the issue here is with NT connection auth, not proxy auth. The proxy challenge seems to be handled fine.

It looks like this is a known issue with Fiddler: https://fiddler.ideas.aha.io/ideas/FID-I-292

@juliobbv
Copy link
Author

@karelz @geoffkizer thanks for the help. Let me see if the issue repro's with another proxy, and reply back with my results.

@juliobbv
Copy link
Author

Good news @karelz, @geoffkizer: I tried the same scenario with Charles Proxy, and things started working. I'll close this issue as it's related to Fiddler and not to .NET Core.

cc @TingluoHuang for awareness.

@msftgits msftgits transferred this issue from dotnet/corefx Jan 31, 2020
@msftgits msftgits added this to the 3.0 milestone Jan 31, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Dec 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

5 participants