Unable to use System.Net.NetworkCredential inside docker #20387
Comments
|
Which OS? Which .NET Core version do you use 1.0 or 1.1? |
|
The docker machine runs linux and I am using dotnet core 1.1 |
|
@BharatRajMeriyala which Linux distro and version? |
|
canonical:UbuntuServer:16.04.0-LTS:latest is the linux version. |
|
Which OS is used on your local and in Azure host - in places where it works? |
|
On my local machine, I have windows 7 and I have deployed the app on Azure App Service for Dotnet Core application. It works fine in these places. Only on my docker container running linux I have the issue. |
|
@Priya91 is it worth quick investigation to assess the impact? |
|
@BharatRajMeriyala Can you try this on the terminal in your docker container, Need more info to debug, could it be the case that server is requesting different authentication scheme than the one used by default by curl [Basic]. Can you post the headers received from the server? |
|
This is what I get on my docker machine... $ curl --user asdf\xxxx:xxxx "http://xx.xxx.xxx.xxx/ReportSer |
Can you tell me how exactly I can do that? |
|
In your code, you can do WebResponse HttpWResp = await webRequest.GetResponseAsync();
var headers = (HttpWResp as HttpWebResponse).Headers;and print out the headers.. |
|
@BharatRajMeriyala your reply seems to be deleted. Was it on purpose or by mistake? |
|
same problem here. Any Updates? |
|
If you are deploying on azure, you might want to check the outgoing port configuration on azure vm once.
…-------- Original message --------
From: argoLein <notifications@github.com>
Date: 29/05/2017 6:38 pm (GMT+05:30)
To: dotnet/corefx <corefx@noreply.github.com>
Cc: BharatRajMeriyala <bharatrm@hotmail.com>, Mention <mention@noreply.github.com>
Subject: Re: [dotnet/corefx] Unable to use System.Net.NetworkCredential inside docker (#16598)
same problem here. Any Updates?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<https://github.com/dotnet/corefx/issues/16598#issuecomment-304657207>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AKaUHJal-bLLMIl72aLjMX1n-rD3QQMOks5r-sMugaJpZM4MQmlL>.
|
|
No. After 4 hours i solved the issue. My Client runs inside a Linux container and i changed my code to this: var httpClientHandler = new HttpClientHandler();
CredentialCache cc = new CredentialCache();
cc.Add(new Uri(_apiBaseAddress), "NTLM", new NetworkCredential(_user, _password, "mydomain"));
httpClientHandler.Credentials = cc;
var client = new HttpClient(httpClientHandler);outside from docker on a windows shell i dont need the credentialCache so i passed the NetworkCredential object directly to the handler. But that dont worked in docker. Inside the container, the wget command response with 2 unauthorized exceptions but the next one with 200. I think some kind of handshaking. Maybe the Cache object do the job right and dont throw an exception on the first request. |
No updates - if you read the bug, you can notice that we don't have enough information to make any reasonable next steps. No one has a repro either. |
|
@karelz i already posted a suitable Solution for the problem yesterday. |
|
@Argolein it sounded like a workaround without clear understanding why it works. If you're fine with that, then that's ok ... |
|
Any updates on this? I'm having the same issue. Have tried the workaround suggested by @Argolein but no luck. |
|
Hi , my Solution with the credentialcache works only inside a Linux based docker Container. if i want to start outside of a Container i have to remove the credentialcache. I made a simple switch with a OS ENV var. |
|
@Argolein Thanks for your comment I think I have the same setup as yours except that I'm using dotnet core 2.0. I'm able to use NetworkCredentials just fine outside of docker. However, once inside docker, I keep having 401 error. I've tried your suggestion and then call the code below but doesn't seem to work A bit more information about my setup, I use port mapping as following: and also expose ports 80, 443, 5000 Any help is much appreciated |
|
@Argolein Just ignore my previous comment. It works now. For anyone who's having the same problem, the key here is use "NTLM" authentication type and it has to authenticate using base URL. |
|
I had the same problem before but managed to resolve it. My container was supposed to call a webapi inside the same domain using the service account set on the app pool (in my case, it was a group Managed Service Account - gMSA). The webapi was secured and we were allowing only the service account to be able to access that webapi, so no employee in the company could hack and call the webapi manually (confidential data). When running in debug in Visual Studio 2017, the container was running using a local IP in the nat network of the host. So using HttpClient with param UseDefaultCredential=true or setting the CredentialCache to use the NetworkCredential always result with 401 unauthorized. The fix was:
Any questions let me know and I will try to help. |
|
Same issue in AWS + Cluster + Windows spot instance + Docker. My solution is to manually set Authorization header in HttpWebRequest. |
|
Based on reading the discussion on this issue and some workarounds that worked, I suspect the problem is related to several things. What authentication schemes is the server requesting? It sounds like either Negotiate or NTLM is being requested by the server. Using default credentials from a Linux host trying to authenticate against a Windows Active Directory has many requirements in order to be successful. The Linux machine must be "joined" to the Windows Active Directory domain. This is usually done with a separate step using Kerberos tools on the Linux machine. If both Negotiate and NTLM schemes are offered by the server, Negotiate will be chosen first since it is considered more secure. Negotiate has the ability to try Kerberos first. If that isn't possible, then NTLM will be tried. However, some Linux distros have problems with Negotiate and can't downgrade to NTLM. So, the authentication will fail with 401. Another item to consider is that you usually must specify the domain name in the So this code pattern is usually recommended: new NetworkCredential(_user, _password, "mydomain");Since there are many variables here, it would be best if you could re-try the repro scenario. Please attach WireShark and/or Fiddler traces so that we can see what kind of network traffic is being used especially in terms of what authentication schemes the server is attempting. You might also want to try out the new .NET Core 2.1 Preview 2 release which uses a newer HTTP stack, SocketsHttpHandler: See: https://blogs.msdn.microsoft.com/dotnet/2018/04/11/announcing-net-core-2-1-preview-2/ For now, we'll close this issue. But please report back when you have a new repro case. |
|
The SocketsHttpHandler only support basic auth, so make sure you disable it there, as described in the blogpost mentioned above. Once you do, on Linux you will fallback to the CurlHandler, which seems to have the fix mentioned above as well. |
This isn't true. HttpClient and all the handlers (i.e. SocketsHttpHandler) support Basic/Digest/NTLM/Negotiate schemes. |
But check my link. What does that comment mean?: |
The comment is only about handling a certain kind of optimization for pre-authenticate where the 'Authorization:' request header can be added even before any HTTP 401/407 response code is returned by a server. SocketsHttpHandler handles Basic/Digest/NTLM/Negotiate authentication flows and will use the .Credentials property as the credentials. It also handles these authentication schemes for proxy authentication as well as server authentication. |
ghost
locked as resolved and limited conversation to collaborators
I am trying to authenticate my call to a SSRS report server hosted outside the docker application. And to accress the report I do the following:
But I continuesly get 401 unauthorized.
The approach of NetworkCredentials works fine when I am doing the same inside my Azure Hosted App service and also my local.
The credentials that I set on the header inside the docker environment, simply do not carry forward upto the report server and I get the error.
The text was updated successfully, but these errors were encountered: