Skip to content

Fix WebSockets Negotiate Auth in Kestrel #26480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 2, 2020
Merged

Fix WebSockets Negotiate Auth in Kestrel #26480

merged 3 commits into from
Oct 2, 2020

Conversation

halter73
Copy link
Member

@halter73 halter73 commented Sep 30, 2020
edited
Loading

Addresses #21886

@halter73 halter73 requested a review from jkotalik as a code owner September 30, 2020 22:34
@Tratcher
Copy link
Member

Now the big question is, is this worth backporting and/or asking for .NET 5 GA approval?

Who's the customer? #21886 seems like it's been sitting there a while.

@halter73
Copy link
Member Author

halter73 commented Oct 1, 2020

Who's the customer?

@vinaykapoor brought this up on https://gitter.im/aspnet/SignalR this morning. Fortunately @BrennanConroy noticed.

@Tratcher
Copy link
Member

Tratcher commented Oct 1, 2020

Ok, it's at least worth asking about for 5.0 then.

@halter73 halter73 changed the base branch from master to darc-release/5.0-ad84ca11-0c07-4994-a3df-e57bd9098c95 October 1, 2020 21:13
@halter73 halter73 changed the base branch from darc-release/5.0-ad84ca11-0c07-4994-a3df-e57bd9098c95 to release/5.0 October 1, 2020 21:13
@halter73
Copy link
Member Author

halter73 commented Oct 1, 2020

Description

This fixes a bug in Kestrel that prevents WebSocket clients from authenticating using Negotiate Auth. I've copied the Exception you get from ClientWebSocket when encountering this Kestrel bug below:

   System.Net.WebSockets.WebSocketException : Unable to connect to the remote server
---- System.Net.Http.HttpRequestException : Authentication failed because the connection could not be reused.
  Stack Trace:
     at System.Net.WebSockets.WebSocketHandle.ConnectAsync(Uri uri, CancellationToken cancellationToken, ClientWebSocketOptions options)

After this change, Kestrel will keep HTTP/1.1 connections open after "Connection: Upgrade" (WebSocket) requests are challenged by Negotiate Auth with a "401 Unauthorized" response. This allows WebSocket clients to authenticate succesfully.

Customer Impact

Customers are unable to use Kestrel if they need to support Windows Auth for WebSocket connections. We first learned about this back in May and it resurfaced when another customer ran into the issue and reported it on https://gitter.im/aspnet/SignalR yesterday.

Workaround

Using IIS or HttpSysServer instead of Kestrel.

Regression?

No.

Risk

Low. This PR allows some HTTP/1.1 connections to stay open in very specific circumstances where they should not have been prematurely closed. These connections are still tracked and subject to Kestrel's normal keep-alive timeout.

@halter73 halter73 added the Servicing-consider Shiproom approval is required for the issue label Oct 1, 2020
@ghost
Copy link

ghost commented Oct 1, 2020

Hello human! Please make sure you've included the Shiproom Template in a comment or (preferably) the PR description. Also, make sure this PR is not marked as a draft and is ready-to-merge.

@halter73 halter73 changed the title Don't close connections after upgrade requests without a 101 response Fix WebSockets Negotiate Auth in Kestrel Oct 1, 2020
@Pilchie Pilchie added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Oct 2, 2020
@Pilchie Pilchie merged commit 96c082f into release/5.0 Oct 2, 2020
@Pilchie Pilchie deleted the halter73/21886 branch October 2, 2020 21:47
@Pilchie
Copy link
Member

Pilchie commented Oct 2, 2020

Approved over email.

@BrennanConroy BrennanConroy added this to the 5.0.0 milestone Oct 2, 2020
@halter73 halter73 mentioned this pull request Oct 3, 2020
Closed
@Tratcher Tratcher mentioned this pull request Oct 14, 2020
Closed
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tratcher Tratcher Tratcher approved these changes

@BrennanConroy BrennanConroy BrennanConroy approved these changes

@jkotalik jkotalik Awaiting requested review from jkotalik

Assignees
No one assigned
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions feature-kestrel Servicing-approved Shiproom has approved the issue
Projects
None yet
Milestone
5.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@halter73 @Tratcher @Pilchie @BrennanConroy @amcasey