[release/8.0] Fix implementation of NegotiateAuthentication.Wrap for Kerberos on Windows #91311
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones Issue DetailsBackport of #91152 to release/8.0 /cc @rzikm @filipnavara Customer ImpactTestingRiskIMPORTANT: If this backport is for a servicing release, please verify that:
|
|
@filipnavara would you be able to provide text for the Testing and Risk sections as well? cc: @karelz |
This comment was marked as duplicate.
This comment was marked as duplicate.
This was referenced Aug 30, 2023
carlossanlop
added
the
Servicing-consider
|
@karelz do you approve this for RC2? |
karelz
approved these changes
Sep 7, 2023
|
I approve, it is E2E regression - @artl93 it is ready for you |
|
M2 approved. |
artl93
added
Servicing-approved
artl93
approved these changes
Sep 7, 2023
ghost
locked as resolved and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #91152 to release/8.0
Fixes PowerShell/PowerShell#20168
/cc @rzikm @filipnavara
Customer Impact
Regression against 7.0 - Establishing NTLM (Kerberos) authenticated connection can fail with "The encryption operation failed" (see PowerShell/PowerShell#20168).
The story behind the regression:
The regression is caused by changes in .NET Kerberos/NTLM authentication which started in 7.0 and which are finishing now in 8.0. The goal was to introduce public Kerberos/NTLM authentication APIs (
NegotiateAuthenticaton) for higher-level frameworks and applications (e.g. ASP.NET needed it to avoid using private Reflection - see #29270).In 6.0 and earlier, the Kerberos/NTLM authentication (
NTAuthentication) was internal only code and was compiled into multiple Networking assemblies (e.g.System.Net.Security,System.Net.Mail, etc.) to avoid using Reflection. Therefore, it also had negative impact on .NET binaries size due to compiled code duplication (while the source code was shared).In 7.0, we introduced the new public API
NegotiateAuthenticatonand we migrated a few internal usages ofNTAuthenticationto the new public API (e.g.Mail), but not all of them.One of the public APIs (
NegotiateAuthentication.Wrap) had a bug on Windows only that was not exposed until 8.0, when we migrated alsoNegotiateStreamto the public APIs in PR #86948.NegotiateStreamsupport of Kerberos requires more flexibility in encryption padding, which NTLM didn't need, and the new API didn't fully provide it.This PR brings parity of old internal functionality in
NegotiateStreamPal.Encryptto the new public APINegotiateAuthentication.Wrap.Testing
The change was tested on affected scenario reported in PowerShell/PowerShell#20168.
Additional validation was performed using a custom/manual
NegotiateStreamclient-server setup between Windows Server 2019 server machine and Windows 11 client machine.Note: NTLM has good unit test coverage. Kerberos has also good unit test coverage on Linux via Kerberos.NET. However, Kerberos on Windows requires complicated multi-machine setup, therefore it is not automated. We will evaluate feasibility of adding Kerberos test endpoint for CI during 9.0 to address the test gap.
Risk
Low to Medium.
The change affects encryption and signing of data transferred through
NegotiateStream. There's no other internal consumer of theNegotiateAuthentication.WrapAPI (with exception of single message in SMTP GSSAPI authentication which is covered by tests). Given that this is very advanced API introduced in 7.0, we do not expect there to be any external usages of the API either. And if they are, they would not be ok with the buggy behavior in 7.0.Only two encryption protocols are supported - NTLM and Kerberos, and NTLM is covered by tests. The Kerberos use case was reported to be broken, and this restores the affected code to mimic the .NET 7 behavior.