mono 6.0.0.313 breaks ntlm authentication on Linux (ubuntu)

Created on 23 Jul 2019  路  35Comments  路  Source: mono/mono

Steps to Reproduce

  1. upgrade mono-complete (stable-bionic 5.20.1.34 main) to 6.0.0.313
  2. use NetworkCredential class to authenticate to server with ntlm authentication

Current Behavior

Attempt to authenticate throws System.ComponentModel.Win32Exception: Specified method is not supported.

Expected Behavior

Haven't seen any "breaking changes" notice, so it should had successfully authenticate like in previous mono versions
(e.g. stable-bionic 5.20.1.34 main)

On which platforms did you notice this

[ ] macOS
[x] Linux
[ ] Windows
[x] Android

Confirmed on both 18.04 and 19.04 versions of Ubuntu.

Version Used:

Mono JIT compiler version 6.0.0.313

Stacktrace

System.ComponentModel.Win32Exception: Specified method is not supported.
  at System.Net.Security.NegotiateStreamPal.AcquireCredentialsHandle (System.String package, System.Boolean isServer, System.Net.NetworkCredential credential) [0x0008e] in <048f685b456c4326be453e3cc3faae14>:0 
  at System.Net.NTAuthentication.Initialize (System.Boolean isServer, System.String package, System.Net.NetworkCredential credential, System.String spn, System.Net.ContextFlagsPal requestedContextFlags, System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding) [0x000b2] in <048f685b456c4326be453e3cc3faae14>:0 
  at System.Net.NTAuthentication..ctor (System.Boolean isServer, System.String package, System.Net.NetworkCredential credential, System.String spn, System.Net.ContextFlagsPal requestedContextFlags, System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding) [0x00006] in <048f685b456c4326be453e3cc3faae14>:0 
  at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync (System.Net.Http.HttpRequestMessage request, System.Uri authUri, System.Net.ICredentials credentials, System.Boolean isProxyAuth, System.Net.Http.HttpConnection connection, System.Net.Http.HttpConnectionPool connectionPool, System.Threading.CancellationToken cancellationToken) [0x00271] in <fa8057d0f20a49d8a3196d824fc6ce2d>:0 
  at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync (System.Net.Http.HttpConnection connection, System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x000b1] in <fa8057d0f20a49d8a3196d824fc6ce2d>:0 
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x0014b] in <fa8057d0f20a49d8a3196d824fc6ce2d>:0 
  at System.Net.Http.AuthenticationHelper.SendWithAuthAsync (System.Net.Http.HttpRequestMessage request, System.Uri authUri, System.Net.ICredentials credentials, System.Boolean preAuthenticate, System.Boolean isProxyAuth, System.Boolean doRequestAuth, System.Net.Http.HttpConnectionPool pool, System.Threading.CancellationToken cancellationToken) [0x00112] in <fa8057d0f20a49d8a3196d824fc6ce2d>:0 
  at System.Net.Http.RedirectHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000ba] in <fa8057d0f20a49d8a3196d824fc6ce2d>:0 
  at System.Net.Http.HttpClient.FinishSendAsyncBuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x0017e] in <fa8057d0f20a49d8a3196d824fc6ce2d>:0 
...
System regression

Most helpful comment

Guys, please note that there is the same issue on Android (it start to happen after last Visual Studio release with last Mono update). I think it is a huge problem that NTLM authentication was broken with this Mono update for all unix based platforms. Could you fix that ASAP please? @marek-safar, @steveisok , @EgorBo

All 35 comments

@jurijr can you please post a sample and provide more details?

@steveisok client works under older mono (5.20.1.34, tested on ubuntu 19.04), while on up-to-date mono (6.0.0.313) it throws said exception. In both cases same (Windows hosted) server was used.

client

using (var httpClientHandler = new HttpClientHandler { Credentials = new NetworkCredential(username, password) })
                using (var httpClient = new HttpClient(httpClientHandler))
                using (var response = await httpClient.SendAsync(new HttpRequestMessage(HttpMethod.Get, endpoint)).ConfigureAwait(false))
                    return $"{(int)response.StatusCode} {response.StatusCode}";

server:

new WebHostBuilder()
                .UseHttpSys(options =>
                {
                    options.Authentication.Schemes = Microsoft.AspNetCore.Server.HttpSys.AuthenticationSchemes.NTLM;
                    options.Authentication.AllowAnonymous = false;
                    options.UrlPrefixes.Add("http://+:5000"); //netsh add urlacl http://+:5000/ user=DOMAIN\user
                })
                .Configure(app => app.Run(r => r.Response.WriteAsync(r.User.Identity.Name)))
                .Build()
                .Run();

SampleClient.zip
WindowsAuthServer.zip

As an separate observation, why would username require format DOMAIN/user and not DOMAIN\user as it was supposed to. Although it might break backward compat not accepting improper format anymore.

@baulig since we switched to the corefx handler, perhaps there was something we missed?

Prior to switching to the CoreFx handler, we were using HttpWebRequest and Mono's NTML handler, which is quite old and possibly also buggy and insecure as well.

We are now using the PAL code from CoreFX for that - the NegotiateStreamPal.AcquireCredentialsHandle that you see in the stack trace above calls into that.

On the Mac, we use the GSS framework, but I'm not sure what we're doing on Linux. It's possible that there's something wrong with the System.Native code on Linux and the error could possibly mean that a P/Invoke isn't finding some native library.

Guys, please note that there is the same issue on Android (it start to happen after last Visual Studio release with last Mono update). I think it is a huge problem that NTLM authentication was broken with this Mono update for all unix based platforms. Could you fix that ASAP please? @marek-safar, @steveisok , @EgorBo

I'm also experiencing this issue on Android, I couldn't find any workaround so far.

@EgorBo Please take a look

@EgorBo, hope you will be able to find solution. It is production issue for our team and it is really blocking for us at the moment.

@EgorBo , @steveisok is there any update?

@yurii-harkusha working on it, unfortunately gss was disabled for linux (https://github.com/mono/mono/pull/17223 enables it) but also I need to pull latest sources from corefx for NTLM/GSS related pieces

@EgorBo It is nice to hear, thanks and good luck!

We are seeing it in both Android and iOS from the latest VS2019 release with mono.

@EgorBo, please take a look on last comment here - seems that iOS also was influenced. I didn't install last today's VS update and can't confirm but if it is really truth. This issue start to be an emergency.

We fixed this issue yesterday https://github.com/mono/mono/issues/17327 and suspect it was giving our calls to the GSS api fits. We are currently trying to validate that assumption.

Hi guys,

Since today (my previous version was 16.2.4 and works fine) with VisualStudio 16.3.5 I get the same error.

To reproduce the error just create a new Xamarin Android app, add System.Net.Http and use the following code (I also attached a complete sample):

        HttpClientHandler httpClientHandler = new HttpClientHandler();
        // NTLM => domain\user
        var username = "user";
        var pass = "qwertyu";
        var domain = "domainForUser";
        var url = "https://aaaaaaa.net"; // This MUST be a correct NTLM server
        NetworkCredential networkCredentials = new NetworkCredential(username, pass, domain);
        httpClientHandler.Credentials = networkCredentials.GetCredential(new Uri(url), "NTLM");

        var client = new HttpClient(httpClientHandler);
        try
        { 
            var test = await client.GetAsync(url);
        }
        catch (Exception ex)
        {
            System.Diagnostics.Debug.WriteLine(ex.Message);
            if (Debugger.IsAttached) Debugger.Break();
        }

Is there a known workaround to solve it?

Thank you for your time
HttpNtlmTest.zip

As a """"workaround"""" to publish a working version in the stores for example (is not a workaround for debug ...) I'm using AppCenter and changed Android SDK Version to Xamarin Android 9.2 / Mono 5.18

With this I can generate an APK which works with NTLM to upload to the store.

I hope this help somebody until is fixed :)

Fixed by https://github.com/mono/mono/pull/17223 and should be available in the next VSM preview.

How to know which version will include this fix?

@aliegeni The next preview should be available soon. I'll comment when the preview lands

@aliegeni The next preview should be available soon. I'll comment when the preview lands

The preview versions released last night for Android VS 16.4 Preview 3,
and Linux Preview Mono 6.6.0 does not appear to resolve the issue. They both fail with same error.

Stacktrace from the SampleClient example

System.AggregateException: One or more errors occurred. (NetSecurityNative_ImportUserName assembly:<unknown assembly> type:<unknown type> member:(null)) ---> System.ComponentModel.Win32Exception: NetSecurityNative_ImportUserName assembly:<unknown assembly> type:<unknown type> member:(null)
  at System.Net.Security.NegotiateStreamPal.AcquireCredentialsHandle (System.String package, System.Boolean isServer, System.Net.NetworkCredential credential) [0x0008e] in <18560358f02043d29a476418b9ad3526>:0 
  at System.Net.NTAuthentication.Initialize (System.Boolean isServer, System.String package, System.Net.NetworkCredential credential, System.String spn, System.Net.ContextFlagsPal requestedContextFlags, System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding) [0x000b2] in <18560358f02043d29a476418b9ad3526>:0 
  at System.Net.NTAuthentication..ctor (System.Boolean isServer, System.String package, System.Net.NetworkCredential credential, System.String spn, System.Net.ContextFlagsPal requestedContextFlags, System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding) [0x00006] in <18560358f02043d29a476418b9ad3526>:0 
  at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync (System.Net.Http.HttpRequestMessage request, System.Uri authUri, System.Net.ICredentials credentials, System.Boolean isProxyAuth, System.Net.Http.HttpConnection connection, System.Net.Http.HttpConnectionPool connectionPool, System.Threading.CancellationToken cancellationToken) [0x003fd] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync (System.Net.Http.HttpConnection connection, System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x000b1] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x0014b] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.AuthenticationHelper.SendWithAuthAsync (System.Net.Http.HttpRequestMessage request, System.Uri authUri, System.Net.ICredentials credentials, System.Boolean preAuthenticate, System.Boolean isProxyAuth, System.Boolean doRequestAuth, System.Net.Http.HttpConnectionPool pool, System.Threading.CancellationToken cancellationToken) [0x00112] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.RedirectHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000ba] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.HttpClient.FinishSendAsyncBuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x0017e] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at SampleClient.MainClass.<Main>g__DemoAuthenticateAsync|0_0 (System.String endpoint, System.String username, System.String password) [0x000b8] in <bdbcdcf7201e48cbb9ae325f998c4fe0>:0 
   --- End of inner exception stack trace ---
  at System.Threading.Tasks.Task`1[TResult].GetResultCore (System.Boolean waitCompletionNotification) <0x7f66782a07a0 + 0x000bb> in <d61f452bdbc3419f896fa33c03403b2e>:0 
  at System.Threading.Tasks.Task`1[TResult].get_Result () <0x7f66782a0720 + 0x00050> in <d61f452bdbc3419f896fa33c03403b2e>:0 
  at SampleClient.MainClass.Main (System.String[] args) [0x00020] in <bdbcdcf7201e48cbb9ae325f998c4fe0>:0 
---> (Inner Exception #0) System.ComponentModel.Win32Exception (0x80004005): NetSecurityNative_ImportUserName assembly:<unknown assembly> type:<unknown type> member:(null)
  at System.Net.Security.NegotiateStreamPal.AcquireCredentialsHandle (System.String package, System.Boolean isServer, System.Net.NetworkCredential credential) [0x0008e] in <18560358f02043d29a476418b9ad3526>:0 
  at System.Net.NTAuthentication.Initialize (System.Boolean isServer, System.String package, System.Net.NetworkCredential credential, System.String spn, System.Net.ContextFlagsPal requestedContextFlags, System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding) [0x000b2] in <18560358f02043d29a476418b9ad3526>:0 
  at System.Net.NTAuthentication..ctor (System.Boolean isServer, System.String package, System.Net.NetworkCredential credential, System.String spn, System.Net.ContextFlagsPal requestedContextFlags, System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding) [0x00006] in <18560358f02043d29a476418b9ad3526>:0 
  at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync (System.Net.Http.HttpRequestMessage request, System.Uri authUri, System.Net.ICredentials credentials, System.Boolean isProxyAuth, System.Net.Http.HttpConnection connection, System.Net.Http.HttpConnectionPool connectionPool, System.Threading.CancellationToken cancellationToken) [0x003fd] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync (System.Net.Http.HttpConnection connection, System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x000b1] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x0014b] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.AuthenticationHelper.SendWithAuthAsync (System.Net.Http.HttpRequestMessage request, System.Uri authUri, System.Net.ICredentials credentials, System.Boolean preAuthenticate, System.Boolean isProxyAuth, System.Boolean doRequestAuth, System.Net.Http.HttpConnectionPool pool, System.Threading.CancellationToken cancellationToken) [0x00112] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.RedirectHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000ba] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at System.Net.Http.HttpClient.FinishSendAsyncBuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x0017e] in <f3f9215704e6416dae6b4bd4e73479f0>:0 
  at SampleClient.MainClass.<Main>g__DemoAuthenticateAsync|0_0 (System.String endpoint, System.String username, System.String password) [0x000b8] in <bdbcdcf7201e48cbb9ae325f998c4fe0>:0 <---

gss support arrived in the package repos a week ago... but we forgot to add krb5 to the build dependencies, to actually enable it. Oops! Enabled now, will be in the next builds

I have the same issue also in Xamarin iOS.

Any expectation of when this fix would be included in a preview?

Should be in 6.6.0.153-0xamarin2 and above?

@EgorBo , @steveisok I see in corresponding issue on developercommunity that there is no update for a long time
https://developercommunity.visualstudio.com/content/problem/756697/last-visual-studio-update-brakes-ntlm-authenticati.html

Can you say what the approximate estimating date of fix delivery?聽 And on which step it is?
Sorry guys, but it is a total crap that such a critical issue for Mono is processing for a such long time.

@yurii-harkusha There are different ways mono is distributed. The issue you linked to in question was for Xamarin Android, which runs on a Visual Studio release cadence. I noted in the issue about a week or so ago that we were fixing a mis-configuration and that I was trying to determine the right preview (or service release) to land the fix in.

With respect to this issue (ntlm on linux), the fix is available in the mono on our preview channel. The linux instructions are here -> https://www.mono-project.com/download/preview/#download-lin

Thank you for a really hopeful answer. Let's wait.

Despite issue is listed as fixed in VS stable release 16.4.0 error still exist.

System.ComponentModel.Win32Exception (0x80004005): System.Net.Security.Native assembly:<unknown assembly> type:<unknown type> member:(null)
at System.Net.Security.NegotiateStreamPal.AcquireCredentialsHandle (System.String package, System.Boolean isServer, System.Net.NetworkCredential credential) [0x0007e] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs:313 
at System.Net.NTAuthentication.Initialize (System.Boolean isServer, System.String package, System.Net.NetworkCredential credential, System.String spn, System.Net.ContextFlagsPal requestedContextFlags, System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding) [0x000b2] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/Common/src/System/Net/NTAuthentication.Common.cs:127 
at System.Net.NTAuthentication..ctor (System.Boolean isServer, System.String package, System.Net.NetworkCredential credential, System.String spn, System.Net.ContextFlagsPal requestedContextFlags, System.Security.Authentication.ExtendedProtection.ChannelBinding channelBinding) [0x00006] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/Common/src/System/Net/NTAuthentication.Common.cs:98 
at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync (System.Net.Http.HttpRequestMessage request, System.Uri authUri, System.Net.ICredentials credentials, System.Boolean isProxyAuth, System.Net.Http.HttpConnection connection, System.Net.Http.HttpConnectionPool connectionPool, System.Threading.CancellationToken cancellationToken) [0x003e5] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs:119 
at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync (System.Net.Http.HttpConnection connection, System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x00069] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:313 
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x00101] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:296 
at System.Net.Http.AuthenticationHelper.SendWithAuthAsync (System.Net.Http.HttpRequestMessage request, System.Uri authUri, System.Net.ICredentials credentials, System.Boolean preAuthenticate, System.Boolean isProxyAuth, System.Boolean doRequestAuth, System.Net.Http.HttpConnectionPool pool, System.Threading.CancellationToken cancellationToken) [0x000c8] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.cs:204 
at System.Net.Http.RedirectHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00070] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs:32 
at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x000b3] in /Users/builder/jenkins/workspace/archive-mono/2019-08/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/HttpClient.cs:531 
at System.Net.Http.HttpClient.GetStringAsyncCore (System.Threading.Tasks.Task`1[TResult] getTask) [0x0002e]

Same here. Upgraded to 16.4 but it still doesn't work as before. Had also to go back to Visual Studio 16.2.5 to fix it.

@stylenamic @aliegeni Note https://github.com/mono/mono/issues/15796#issuecomment-561152774

It is confusing re: how mono is distributed. I'll try and explain it again in this comment.

This issue was created due to an ntlm bug in mono when running on ubuntu. That refers to the 'stand alone' mono and as previously indicated was fixed in 6.6.0.153 and above (the reason why the issue is closed). You can find that version of mono either on our website OR within the d16-4 version of visual studio, which is still in preview.

Now, as it relates to Android / iOS, that is a different story. In case you did not know, android and ios bundle their own embedded versions of mono. There was a misconfiguration resulting in the ntlm support not being enabled. As I indicated earlier, that fix has not yet made its way out yet and I anticipate it being available in the 16.5 timeframe. I am still waiting to make sure that is correct.

@steveisok I see, but misleading thing is that the issue is listed under Top fixed issues in v.16.4

https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#top-issues-fixed-in-visual-studio-2019-version-164

Yeah, that's confusing. I'll see if I can get them modified.

Thanks for your patience.

Now, as it relates to Android / iOS, that is a different story. In case you did not know, android and ios bundle their own embedded versions of mono. There was a misconfiguration resulting in the ntlm support not being enabled. As I indicated earlier, that fix has not yet made its way out yet and I anticipate it being available in the 16.5 timeframe. I am still waiting to make sure that is correct.

Any news on the timeframe?

Now, as it relates to Android / iOS, that is a different story. In case you did not know, android and ios bundle their own embedded versions of mono. There was a misconfiguration resulting in the ntlm support not being enabled. As I indicated earlier, that fix has not yet made its way out yet and I anticipate it being available in the 16.5 timeframe. I am still waiting to make sure that is correct.

Any news on the timeframe?

Any news?

Was this page helpful?
0 / 5 - 0 ratings