Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GSS failures in System.Net.Http.Functional.Tests on Ubuntu 22.04 #67353

Open
omajid opened this issue Mar 30, 2022 · 26 comments
Open

GSS failures in System.Net.Http.Functional.Tests on Ubuntu 22.04 #67353

omajid opened this issue Mar 30, 2022 · 26 comments
Labels
area-System.Net.Http disabled-test The test is disabled in source code against the issue test-enhancement Improvements of test source code tracking-external-issue The issue is caused by external problem (e.g. OS) - nothing we can do to fix it directly
Milestone
Future

Comments

@omajid
Copy link
Member

omajid commented Mar 30, 2022

Description

Running runtime tests on Ubuntu 22.04 (which adds OpenSSL 3.0 resulting in a number of changes under the hood), leads to a bunch of tests failing: https://dev.azure.com/dnceng/public/_build/results?buildId=1690650&view=ms.vss-test-web.build-test-results-tab&runId=46193442&resultId=189361&paneView=dotnet-dnceng.dnceng-anon-build-release-tasks.helix-anon-test-information-tab

Some examples:

System.AggregateException : One or more errors occurred. (GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Crypto routine failure).) (Unexpected EOF trying to read request header)
---- System.ComponentModel.Win32Exception : GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Crypto routine failure).
---- System.IO.IOException : Unexpected EOF trying to read request header

    System.Net.Http.Functional.Tests.SyncHttpHandler_HttpClientHandler_Authentication_Test.Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader(authScheme: "NTLM") [FAIL]
      System.AggregateException : One or more errors occurred. (GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Crypto routine failure).) (Unexpected EOF trying to read request header)
      ---- System.ComponentModel.Win32Exception : GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Crypto routine failure).
      ---- System.IO.IOException : Unexpected EOF trying to read request header
      Stack Trace:
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(88,0): at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks)
        /_/src/libraries/Common/tests/System/Net/Http/GenericLoopbackServer.cs(38,0): at System.Net.Test.Common.LoopbackServerFactory.<>c__DisplayClass5_0.<<CreateClientAndServerAsync>b__0>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(101,0): at System.Net.Test.Common.LoopbackServer.CreateServerAsync(Func`2 funcAsync, Options options)
        /_/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs(669,0): at System.Net.Http.Functional.Tests.HttpClientHandler_Authentication_Test.Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader(String authScheme)
        --- End of stack trace from previous location ---
        ----- Inner Stack Trace #1 (System.ComponentModel.Win32Exception) -----
        /_/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs(537,0): at System.Net.Security.NegotiateStreamPal.AcquireCredentialsHandle(String package, Boolean isServer, NetworkCredential credential)
        /_/src/libraries/Common/src/System/Net/NTAuthentication.Common.cs(128,0): at System.Net.NTAuthentication.Initialize(Boolean isServer, String package, NetworkCredential credential, String spn, ContextFlagsPal requestedContextFlags, ChannelBinding channelBinding)
        /_/src/libraries/Common/src/System/Net/NTAuthentication.Common.cs(98,0): at System.Net.NTAuthentication..ctor(Boolean isServer, String package, NetworkCredential credential, String spn, ContextFlagsPal requestedContextFlags, ChannelBinding channelBinding)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs(169,0): at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs(1033,0): at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.cs(240,0): at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs(30,0): at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/HttpClient.cs(532,0): at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
        /_/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs(676,0): at System.Net.Http.Functional.Tests.HttpClientHandler_Authentication_Test.<>c__DisplayClass34_0.<<Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader>b__0>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(120,0): at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task)
        ----- Inner Stack Trace #2 (System.IO.IOException) -----
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(715,0): at System.Net.Test.Common.LoopbackServer.Connection.ReadRequestHeaderBytesAsync()
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(777,0): at System.Net.Test.Common.LoopbackServer.Connection.ReadRequestDataAsync(Boolean readBody)
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(1021,0): at System.Net.Test.Common.LoopbackServer.Connection.HandleRequestAsync(HttpStatusCode statusCode, IList`1 headers, String content)
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(1081,0): at System.Net.Test.Common.LoopbackServer.HandleRequestAsync(HttpStatusCode statusCode, IList`1 headers, String content)
        /_/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs(686,0): at System.Net.Http.Functional.Tests.HttpClientHandler_Authentication_Test.<>c__DisplayClass34_0.<<Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader>b__1>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(120,0): at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task)

Reproduction Steps

From helix:

/root/helix/work/correlation/dotnet exec --runtimeconfig System.Net.Http.Functional.Tests.runtimeconfig.json --depsfile System.Net.Http.Functional.Tests.deps.json xunit.console.dll System.Net.Http.Functional.Tests.dll -xml testResults.xml -nologo -nocolor -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing

Expected behavior

All tests pass

Actual behavior

Tests fail with GSS exceptions.

Regression?

Yes, the tests pass on older versions of Ubuntu currently running in CI

Known Workarounds

No response

Configuration

  • dotnet/runtime main branch, commit 5a0564b01442f8ea9247e27c4fab85ee0d457265
  • Ubuntu 22.04

Other information

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added area-System.Net.Http untriaged New issue has not been triaged by the area owner labels Mar 30, 2022
@ghost
Copy link

ghost commented Mar 30, 2022

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

Running runtime tests on Ubuntu 22.04 (which adds OpenSSL 3.0 resulting in a number of changes under the hood), leads to a bunch of tests failing: https://dev.azure.com/dnceng/public/_build/results?buildId=1690650&view=ms.vss-test-web.build-test-results-tab&runId=46193442&resultId=189361&paneView=dotnet-dnceng.dnceng-anon-build-release-tasks.helix-anon-test-information-tab

Some examples:

System.AggregateException : One or more errors occurred. (GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Crypto routine failure).) (Unexpected EOF trying to read request header)
---- System.ComponentModel.Win32Exception : GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Crypto routine failure).
---- System.IO.IOException : Unexpected EOF trying to read request header

    System.Net.Http.Functional.Tests.SyncHttpHandler_HttpClientHandler_Authentication_Test.Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader(authScheme: "NTLM") [FAIL]
      System.AggregateException : One or more errors occurred. (GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Crypto routine failure).) (Unexpected EOF trying to read request header)
      ---- System.ComponentModel.Win32Exception : GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Crypto routine failure).
      ---- System.IO.IOException : Unexpected EOF trying to read request header
      Stack Trace:
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(88,0): at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks)
        /_/src/libraries/Common/tests/System/Net/Http/GenericLoopbackServer.cs(38,0): at System.Net.Test.Common.LoopbackServerFactory.<>c__DisplayClass5_0.<<CreateClientAndServerAsync>b__0>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(101,0): at System.Net.Test.Common.LoopbackServer.CreateServerAsync(Func`2 funcAsync, Options options)
        /_/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs(669,0): at System.Net.Http.Functional.Tests.HttpClientHandler_Authentication_Test.Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader(String authScheme)
        --- End of stack trace from previous location ---
        ----- Inner Stack Trace #1 (System.ComponentModel.Win32Exception) -----
        /_/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs(537,0): at System.Net.Security.NegotiateStreamPal.AcquireCredentialsHandle(String package, Boolean isServer, NetworkCredential credential)
        /_/src/libraries/Common/src/System/Net/NTAuthentication.Common.cs(128,0): at System.Net.NTAuthentication.Initialize(Boolean isServer, String package, NetworkCredential credential, String spn, ContextFlagsPal requestedContextFlags, ChannelBinding channelBinding)
        /_/src/libraries/Common/src/System/Net/NTAuthentication.Common.cs(98,0): at System.Net.NTAuthentication..ctor(Boolean isServer, String package, NetworkCredential credential, String spn, ContextFlagsPal requestedContextFlags, ChannelBinding channelBinding)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs(169,0): at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs(1033,0): at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.cs(240,0): at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs(30,0): at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Http/src/System/Net/Http/HttpClient.cs(532,0): at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
        /_/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs(676,0): at System.Net.Http.Functional.Tests.HttpClientHandler_Authentication_Test.<>c__DisplayClass34_0.<<Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader>b__0>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(120,0): at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task)
        ----- Inner Stack Trace #2 (System.IO.IOException) -----
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(715,0): at System.Net.Test.Common.LoopbackServer.Connection.ReadRequestHeaderBytesAsync()
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(777,0): at System.Net.Test.Common.LoopbackServer.Connection.ReadRequestDataAsync(Boolean readBody)
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(1021,0): at System.Net.Test.Common.LoopbackServer.Connection.HandleRequestAsync(HttpStatusCode statusCode, IList`1 headers, String content)
        /_/src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs(1081,0): at System.Net.Test.Common.LoopbackServer.HandleRequestAsync(HttpStatusCode statusCode, IList`1 headers, String content)
        /_/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs(686,0): at System.Net.Http.Functional.Tests.HttpClientHandler_Authentication_Test.<>c__DisplayClass34_0.<<Credentials_ServerChallengesWithWindowsAuth_ClientSendsWindowsAuthHeader>b__1>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(120,0): at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task)

Reproduction Steps

From helix:

/root/helix/work/correlation/dotnet exec --runtimeconfig System.Net.Http.Functional.Tests.runtimeconfig.json --depsfile System.Net.Http.Functional.Tests.deps.json xunit.console.dll System.Net.Http.Functional.Tests.dll -xml testResults.xml -nologo -nocolor -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing

Expected behavior

All tests pass

Actual behavior

Tests fail with GSS exceptions.

Regression?

Yes, the tests pass on older versions of Ubuntu currently running in CI

Known Workarounds

No response

Configuration

  • dotnet/runtime main branch, commit 5a0564b01442f8ea9247e27c4fab85ee0d457265
  • Ubuntu 22.04

Other information

No response

Author: omajid
Assignees: -
Labels:

area-System.Net.Http, untriaged
Milestone: -

@omajid omajid mentioned this issue Mar 30, 2022
Merged
@karelz karelz added this to the 7.0.0 milestone Mar 31, 2022
@karelz karelz removed the untriaged New issue has not been triaged by the area owner label Mar 31, 2022
@karelz
Copy link
Member

karelz commented Mar 31, 2022
edited
Loading

Triage: Likely related to new image Ubuntu 22.04 (we do not have a queue yet). Seems to fail reliably. We should investigate.

@karelz karelz added the bug label Mar 31, 2022
@wfurt
Copy link
Member

wfurt commented Mar 31, 2022
edited
Loading

do you know @omajid if the image has the gss-ntlm package? Generally, I would think the OpenSSL is independent from Kerberos and GSS.

@omajid
Copy link
Member Author

omajid commented Mar 31, 2022

It does have gss: https://github.com/dotnet/dotnet-buildtools-prereqs-docker/blob/main/src/ubuntu/22.04/helix/amd64/Dockerfile

@wfurt
Copy link
Member

wfurt commented Mar 31, 2022

Actually, you may be right about OpenSSL. It seems like md4 is no longer available from crypto

helixbot@9d96aeaca4ba:/$ openssl md4
Error setting digest
4037123E367F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD4 : 88), Properties ()
4037123E367F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:../crypto/evp/digest.c:237:

and

https://github.com/gssapi/gss-ntlmssp/blob/734e522c14a9821d7c03f2ce1691706d3d8131ad/src/crypto.c#L149-L153
While the gss-ntlmssp builds it is probably completely useless. (something to report ditto vendors..?)

For now, I think we detect presence of the page and we would skip tests as needed. Short term fix may be removing the ntlm package from docker image. That of course leaves NTLM auth broken.

The options would be to report/fix the package so it works with OpenSSL 3.x (e.g. add private fall-back implementation of md4) or switch to managed implementation #66879

cc: @filipnavara @bartonjs

@filipnavara filipnavara mentioned this issue Mar 31, 2022
Closed
@wfurt wfurt mentioned this issue Mar 31, 2022
Closed
@filipnavara
Copy link
Member

filipnavara commented Mar 31, 2022
edited
Loading

Let's report upstream and see. Long term I am keen on making the Managed NTLM an option either through an app context switch, or as a fallback if gss-ntlmssp is not installed.

@wfurt wfurt unassigned rzikm Mar 31, 2022
@omajid
Copy link
Member Author

omajid commented Mar 31, 2022

Should we flag this as part of Ubuntu 22.04 support? Looking at dotnet/core#7038 it seems like everything is 100% functional?

@wfurt
Copy link
Member

wfurt commented Mar 31, 2022

I'm not sure. This looks like distribution bug to me @omajid as the package they provide does not work.

@vcsjones
Copy link
Member

It seems like md4 is no longer available from crypto

You need to load the legacy provider for that to work in OpenSSL 3. You can either do that in openssl.cnf, or from the command line, this should work:

echo hi | openssl md4 -provider legacy

However for the runtime, we explicitly load the "legacy" provider, so MD4 should be available.

runtime/src/native/libs/System.Security.Cryptography.Native/openssl.c

Lines 1175 to 1180 in fe0f600

void CryptoNative_RegisterLegacyAlgorithms()
{
#ifdef NEED_OPENSSL_3_0
if (API_EXISTS(OSSL_PROVIDER_try_load))
{
OSSL_PROVIDER_try_load(NULL, "legacy", 1);

@vcsjones
Copy link
Member

One way to tell is to change openssl.cnf to have the following provider_sect:

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

@filipnavara
Copy link
Member

However for the runtime, we explicitly load the "legacy" provider, so MD4 should be available.

...but only after you use some crypto that initializes the OpenSSL native shim, right?

@vcsjones
Copy link
Member

Ah, you're right. I thought we always loaded the legacy provider, but we only do it when you use an algorithm that is in the legacy provider:

runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RC2Implementation.OpenSsl.cs

Line 23 in 899bf97

Interop.Crypto.EnsureLegacyAlgorithmsRegistered();

Changing the openssl.cnf to load the legacy provider however would work, assuming the problem is the lack of the legacy provider's availability.

@wfurt wfurt added the tracking-external-issue The issue is caused by external problem (e.g. OS) - nothing we can do to fix it directly label Apr 1, 2022
@wfurt
Copy link
Member

wfurt commented Apr 1, 2022

This was fixed in gss-ntlm package. It is up to Ubuntu to pick up the fix. Big thanks to @simo5 who did the fix.

@wfurt wfurt removed this from the 7.0.0 milestone Apr 1, 2022
@wfurt wfurt added the untriaged New issue has not been triaged by the area owner label Apr 1, 2022
@karelz
Copy link
Member

karelz commented Apr 7, 2022

@wfurt why did you send it back to triage?
If it is external (and addressed there already), I would recommend to close it with details which version of library is needed to make it work.

@wfurt
Copy link
Member

wfurt commented Apr 9, 2022

We can (should?) improve platform detection and skip the tests as needed instead of failing. This will bite us once #67345 is merged.
We may also choose to solve it via manage NTLM.

@karelz
Copy link
Member

karelz commented Apr 12, 2022

Triage: Platform detection needs to be improved to handle the case as well.

Note: This will be addressed once we have managed NTLM implementation - but there is no guarantee when it will happen.

@karelz karelz removed the bug label Apr 12, 2022
@karelz karelz added test-enhancement Improvements of test source code and removed untriaged New issue has not been triaged by the area owner labels Apr 12, 2022
@karelz karelz added this to the 7.0.0 milestone Apr 12, 2022
@wfurt wfurt mentioned this issue Apr 14, 2022
Merged
@wfurt wfurt added the disabled-test The test is disabled in source code against the issue label Apr 14, 2022
@wfurt wfurt modified the milestones: 7.0.0, Future May 12, 2022
@yaakov-h
Copy link
Member

yaakov-h commented Nov 7, 2022

This isn't just a test-related issue. I just upgraded a system from Ubuntu 20.04 to Ubuntu 22.04 and a .NET 6 application could no longer use NTLM auth until I applied the workaround mentioned in #67353 (comment).

Should this be documented somewhere as a compatibility issue for developers / end-users?

@wfurt
Copy link
Member

wfurt commented Nov 7, 2022

We could but it is really difficult to trace and keep in sync all Linux distributions and versions. We could add note that the functionality depends on underlying OS capabilities.
But as I mentioned above it is really up to Ubuntu to pick up the package fixes. Perhaps you can open issue with them.

@wooncherk
Copy link

One way to tell is to change openssl.cnf to have the following provider_sect:

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

This helped. Thanks! :)

@sbomer sbomer mentioned this issue Apr 19, 2023
Merged
@sophiewigmore sophiewigmore mentioned this issue Jul 27, 2023
Merged
@AlexanderUsmanov AlexanderUsmanov mentioned this issue Mar 4, 2024
Closed
@wfurt wfurt mentioned this issue Mar 27, 2024
Closed
@devagleo devagleo mentioned this issue Apr 4, 2024
Open
@filipnavara filipnavara mentioned this issue Apr 5, 2024
Open
@SaravanakumBalach
Copy link

Hi,

We are planning to upgrade our .Net core MVC application from .Net 6 to .Net 8 version. It is written in C#. To prepare for that upgrade we first upgraded from ubuntu 20.04 to ubuntu 22.04. We target ubuntu 22.04 version jammy tag with amd64 architecture.

This is our base image in the Docker file and the following line updates our package list.

FROM artifactory.xyz.com/dockerhub-microsoft/dotnet/aspnet:6.0-jammy-amd64 AS base

&& apt-get update && apt-get install -y --no-install-recommends curl gss-ntlmssp tzdata \

When our application tries to authenticate and open SSRS reports we get "GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Crypto routine failure)"

We were previously using focal base image in 20.04 version and was able to render SSRS reports. Did something change with gss-ntlmssp package in 22.04 version? I was reading some other posts where it says this issue is related to incompatibilities between OpenSSL 3.0 and the older cryptographic algorithms involved in NTLM authentication. Any thoughts on how to fix this issue? Appreciate your kind response.

@filipnavara
Copy link
Member

Any thoughts on how to fix this issue?

One of the fixes is literally the comment right above yours (enable the legacy crypto in OpenSSL). The other one is to get newer version of the gss-ntlmssp package or compile it yourself.

@wfurt
Copy link
Member

wfurt commented Apr 17, 2024

One of the fixes is literally the comment right above yours (enable the legacy crypto in OpenSSL). The other one is to get newer version of the gss-ntlmssp package or compile it yourself.

there seems to be updated binaries in never Ubuntu. You may be able to get binaries from there with little bit of trickery (but I did not test it)

@wfurt
Copy link
Member

wfurt commented Apr 17, 2024

and in .NET 8 they could force the managed implementation, right @filipnavara if all they need is NTLM?

@wfurt
Copy link
Member

wfurt commented Apr 17, 2024

https://packages.ubuntu.com/search?keywords=gss-ntlmssp you want the 1.2.xxx version @SaravanakumBalach

@SaravanakumBalach
Copy link

Thanks @wfurt . I looked at it but it appears like 1.2.xxx version is available only with ubuntu 23.x and above. But we are targeting ubuntu 22.04 which only supports GSSAPI 0.7.0 version. @filipnavara How can I enable the legacy crypto in OpenSSL? Any other thoughts pls?

@wfurt
Copy link
Member

wfurt commented Apr 17, 2024

right, but

curl -LO http://mirrors.kernel.org/ubuntu/pool/universe/g/gss-ntlmssp/gss-ntlmssp_1.2.0-1_amd64.deb
sudo dpkg -i gss-ntlmssp_1.2.0-1_amd64.deb

works because all dependencies are met

furt@ubu22:/tmp$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy

https://packages.ubuntu.com/lunar/gss-ntlmssp

@filipnavara filipnavara mentioned this issue Apr 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Net.Http disabled-test The test is disabled in source code against the issue test-enhancement Improvements of test source code tracking-external-issue The issue is caused by external problem (e.g. OS) - nothing we can do to fix it directly
Projects
None yet
Milestone
Future
Development

No branches or pull requests
9 participants
@omajid @vcsjones @yaakov-h @wooncherk @filipnavara @karelz @wfurt @rzikm @SaravanakumBalach