Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTLM issues in some images #5303

Closed
mitch-b opened this issue Mar 26, 2024 · 7 comments
Closed

NTLM issues in some images #5303

mitch-b opened this issue Mar 26, 2024 · 7 comments
Labels
area-infrastructure bug untriaged

Comments

@mitch-b
Copy link

mitch-b commented Mar 26, 2024

Describe the Bug

Using 7.0-jammy/8.0-jammy, 8.0-alpine images (linux-x64) and manually installing gss-ntlmssp library does not seem to allow NTLM authentication when using a WCF connected service in a .NET 8 Web API project.

When I converted my project down to 6.0-focal, it worked. Then I tried to understand if this was a .NET 7+ issue, but I eventually found that the 8.0-bookworm-slim image worked, so it didn't seem to be a .NET version, but seemed to be more tied to the base image.

In the -jammy and -alpine images, the error I would get when connecting to my WCF service was:

MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.

Steps to Reproduce

Dockerfile (that does not work):

#See https://aka.ms/customizecontainer to learn how to customize your debug container and how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy AS base

WORKDIR /app
EXPOSE 8080
EXPOSE 8081

RUN apt-get update && apt-get install -y \
	krb5-user \
	libkrb5-dev \
	gss-ntlmssp \
	&& rm -rf /var/lib/apt/lists/*

USER app

FROM mcr.microsoft.com/dotnet/sdk:8.0-jammy AS build
ARG BUILD_CONFIGURATION=Release
WORKDIR /src
COPY ["dotnet-ntlm-container-demo/NtlmDemo.csproj", "dotnet-ntlm-container-demo/"]
RUN dotnet restore "./dotnet-ntlm-container-demo/NtlmDemo.csproj"
COPY . .
WORKDIR "/src/dotnet-ntlm-container-demo"
RUN dotnet build "./NtlmDemo.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./NtlmDemo.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "NtlmDemo.dll"]

And a Dockerfile that works (Note: the only change is the image tag):

#See https://aka.ms/customizecontainer to learn how to customize your debug container and how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim AS base

WORKDIR /app
EXPOSE 8080
EXPOSE 8081

RUN apt-get update && apt-get install -y \
	krb5-user \
	libkrb5-dev \
	gss-ntlmssp \
	&& rm -rf /var/lib/apt/lists/*

USER app

FROM mcr.microsoft.com/dotnet/sdk:8.0-bookworm-slim AS build
ARG BUILD_CONFIGURATION=Release
WORKDIR /src
COPY ["dotnet-ntlm-container-demo/NtlmDemo.csproj", "dotnet-ntlm-container-demo/"]
RUN dotnet restore "./dotnet-ntlm-container-demo/NtlmDemo.csproj"
COPY . .
WORKDIR "/src/dotnet-ntlm-container-demo"
RUN dotnet build "./NtlmDemo.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./NtlmDemo.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "NtlmDemo.dll"]

Other Information

Output of docker version

Docker version 25.0.3, build 4debf41
@mitch-b mitch-b added the bug label Mar 26, 2024
@richlander
Copy link
Member

I am looking for some help. I've not been successful in that so far. We'll have Ubuntu 24.04 images to try next month.

Any thoughts @filipnavara @mconnew @wfurt ?

@wfurt
Copy link
Member

wfurt commented Mar 27, 2024

This looks like dotnet/runtime#67353. It got broken by moving OpenSSL 3.0. It was fixed upstream but took ages for Ubuntu to pick up the updated package. I think Ubuntu 23+ had the 1.XX ntlm-gss

@richlander
Copy link
Member

When this PR merges, we will have noble images in our nightly repo. That will be enough to test.

#5241

@mitch-b
Copy link
Author

mitch-b commented Mar 27, 2024

Thanks for the reference, @wfurt . Merging the default openssl.cnf with what was mentioned in that issue gets things working in 8.0-jammy. I'm hopeful that noble images make this workaround no longer required.

dotnet/runtime#67353 (comment)

FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy AS base

WORKDIR /app
EXPOSE 8080
EXPOSE 8081

RUN apt-get update && apt-get install -y \
	krb5-user \
	libkrb5-dev \
	gss-ntlmssp \
	&& rm -rf /var/lib/apt/lists/*

###
### OpenSSL 3.0 fix by providing an override openssl.cnf file:
###
RUN echo "Copying openssl.cnf to /etc/ssl/openssl.cnf"
COPY ["dotnet-ntlm-container-demo/openssl.cnf", "openssl.cnf"]
RUN cp openssl.cnf /etc/ssl/openssl.cnf

USER app

...

@wfurt
Copy link
Member

wfurt commented Mar 27, 2024

For reference, it was fixed back in 2022: gssapi/gss-ntlmssp#72 to fix gssapi/gss-ntlmssp#71 .

@richlander
Copy link
Member

Thanks for sharing that @wfurt. That's VERY useful to share/persist.

@lbussell
Copy link
Contributor

[Triage] Since there's a workaround available and the issue is with the OpenSSL configuration on Jammy (and not an issue with .NET or our Dockerfiles), closing this as not planned.

@lbussell lbussell closed this as not planned Won't fix, can't repro, duplicate, stale Mar 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-infrastructure bug untriaged
Projects
.NET Docker
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mitch-b @richlander @wfurt @lbussell