Add WAM workaround for elevated processes #344
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mjcheetham
added
bug
bgavrilMS
approved these changes
May 13, 2021
bgavrilMS
reviewed
May 13, 2021
| if (!PlatformUtils.IsWindows10()) return; | ||
|
|
||
| // Nothing to do when not an elevated user | ||
| if (!PlatformUtils.IsElevatedUser()) return; |
There was a problem hiding this comment.
@pmaytak - I think we should have this (lines 58 - 83) as a helper in MSAL
mjcheetham
force-pushed
the
wam-elevate
branch
2 times, most recently
from
ea80429 to
686646a
Compare
mjcheetham
requested review from
derrickstolee,
dscho,
jeffhostetler,
ldennington and
vtbassmatt
Add a workaround to a broker bug whereby the account control does not appear when running from an elevated process. AzureAD/microsoft-authentication-library-for-dotnet#2560 The underlying issue is to do with COM and the OS account control not being able to call-back in to the elevated process. The workaround is to set the process COM security to "none" iif we are on Windows 10, the process is elevated, and the user hasn't disabled the broker. It is possible the call to CoInitializeSecurity may fail, as this can only be called once in the lifetime of a process, and must be called before any COM interactions occur. The CLR may perform some COM interop before we even get to the Main method(!) We try our best here and call the CoInitializeSecurity function as soon as we reasonably can in the lifetime of our process.
derrickstolee
approved these changes
May 13, 2021
src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs
Outdated
Show resolved
Hide resolved
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a workaround to a broker bug whereby the account control does not appear when running from an elevated process.
AzureAD/microsoft-authentication-library-for-dotnet#2560
The underlying issue is to do with COM and the OS account control not being able to call-back in to the elevated process.
The workaround is to set the process COM security to "none" iif we are on Windows 10, the process is elevated, and the user hasn't disabled the broker.
It is possible the call to
CoInitializeSecuritymay fail, as this can only be called once in the lifetime of a process, and must be called before any COM interactions occur. The CLR may perform some COM interop before we even get to the Main method(!)We try our best here and call the
CoInitializeSecurityfunction as soon as we reasonably can in the lifetime of our process.