-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication validation failed with error - InvalidToken exception on .net #110184
Comments
Tagging subscribers to this area: @dotnet/ncl |
@filipnavara You were extremely helpful and provided a lot of advice in a similar thread where the server was not managed by the developers and was written in Java. Perhaps you could offer some guidance here as well, please? |
@danghyan I can analyze Fiddler/Proxyman/Charles traces with the |
@danghyan Review how you declared the |
Just a summary of the private conversation from email. I briefly checked the tokens. The server responds with 200 OK and WWW-Authentication header. The value of the header seems to be syntactically correct according to RFC 4178 (https://datatracker.ietf.org/doc/html/rfc4178) specification of NegTokenResp and contains the following values:
There's no MIC (Message Integrity Check) in the response. That seems to be valid in this case according to the specification:
The value of
/cc @SteveSyfuhs in case he has tips on getting more info from the Windows auth stack. |
Structure looks about right: AP-REP ::= [APPLICATION 15] SEQUENCE {
pvno [0] INTEGER (5), --> 5
msg-type [1] INTEGER (15), --> 15
enc-part [2] EncryptedData -- EncAPRepPart ----->
}
EncryptedData ::= SEQUENCE {
etype [0] Int32, --> 18 (AES)
kvno [1] UInt32 OPTIONAL, --> NULL
cipher [2] OCTET STRING --> 111 bytes
} It's unlikely a structural issue and more likely the client and server not agreeing on the session key. I'm not sure how the client gets to ISC:
Which none of these come from session key disagreement. Might try enabling logging on the client and see if the provides anything more specific: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-kerberos-event-logging. Otherwise we might need to dig into the internal tracing and see what its complaining about. |
I’ve discovered something that might be useful. The source code for the location where the error occurs is here - https://github.com/dotnet/runtime/blob/main/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs If the Kerberos authentication header is set manually, the check passes at line 89 without validating the token. It simply checks the status. The authContext.GetOutgoingBlob(challengeData, out statusCode) method is not even called. However, if the header is not set manually, the first request is made at line 89, where we get a NeedContinue response and proceed further. At line 209, we then receive an InvalidToken error. In both cases, the tokens are sent and generated correctly. The difference lies in how the token is verified. It’s also unclear why it works fine for half of my colleagues. It could be related to a Windows update or some corrupted system package, such as sspicli.dll, which is used to calculate the InvalidToken error code. |
@rzikm any thoughts based on the discussion? Any ideas how to troubleshoot this? |
Unfortunately not many, best next step seems to be looking into Kerberos event logs, see comment from @SteveSyfuhs
tagging @wfurt in case he has more ideas. |
This issue has been marked |
Description
Hello. My team has partially encountered an InvalidToken error during POST requests to the server. This error appears sequentially for different developers, and once it occurs, it doesn’t go away. Currently, half of the team has no issues, while the other half consistently encounters this error during POST requests.
The client typically makes two requests. The first one, a handshake response, returns 401, and the second request receives a 200 response. The server processes the request correctly and returns the appropriate response. However, the client throws an InvalidToken error. I checked the headers through Fiddler, and they seem fine.
If the Kerberos authentication header is explicitly specified for the HTTP client, everything starts working correctly. In this case, the client skips the first handshake (401 request, which makes sense) and sends the request with the Kerberos header directly. Again, I checked the headers through Fiddler, and they are identical to those used in unsuccessful operations. The first 7700 characters of the header are entirely identical.
Decompiled code didn’t provide any useful information either. I understand this is a common issue, so are there any suggestions or advice?
All the threads found here and on other resources did not provide a clear answer to the issue. In our case, the server is managed by our team, so we might be able to dig a bit deeper into solving the problem.
Reproduction Steps
It won't be possible to reproduce it explicitly.
Expected behavior
Currect 200 response
Actual behavior
System.Net.Http.HttpRequestException: Authentication validation failed with error - InvalidToken.
at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.g__Core|5_0(HttpRequestMessage request, Boolean useAsync, CancellationToken cancellationToken)
at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.g__Core|5_0(HttpRequestMessage request, Boolean useAsync, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
Regression?
No response
Known Workarounds
Cusom kerberos header for HttpClient
Configuration
.Net 7, .Net 8
Client - Windows 10
Server - K8S
Other information
No response
The text was updated successfully, but these errors were encountered: