Possible regression in new UseSocketsHttpHandler when .NET Core 2.1 application is configured to use a proxy on Windows 64-bit

[juliobbv]

Hi all,

@TingluoHuang and I (both MSFT employees) are working on updating our Azure Pipelines agent (AKA VSTS agent) to use .NET Core 2.1 (from 2.0). During our testing, we detected a regression in our config scenario against a TFS on-premises instance when a proxy that requires client authentication (like Fiddler) is used.

Our application has the ability to pass in the proxy information via configuration settings, which are then passed in to the .NET Core library to make HTTP requests. This works fine on .NET Core 2.0, but fails on 2.1 when using the default UseSocketsHttpHandler with the following error:

TF400813: Resource not available for anonymous access. Client authentication required.

We were able to work this issue around by falling back to using the legacy HTTP handler, by adding the following line to both our agent worker and listener:

AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);

I'm attaching a Fiddler trace as a reference: corefx.zip. Sessions 1-25 represent a failed config with the new HTTP handler, while sessions 27-52 represent a successful config with the old HTTP handler.

Let us know if you need more info from our side to find out the root cause of this issue.

[rmkerr]

Hey @geoffkizer, does this look like one of the existing proxy issues you were working on?

[karelz]

@juliobbv are you able to test it with latest 2.1.x servicing bits (the unreleased 2.1.5 ideally). We had multiple proxy fixes going in. It would help us verify that your scenario is also addressed with latest bits. Thanks!

[juliobbv]

@karelz sure, I'm retrying the same scenario with SDK Version 2.1.403-servicing-009280. Let see how it goes.

[juliobbv]

Unfortunately, the agent runs into the same issue with the unreleased 2.1.5 bits 😟, same error message and fiddler trace pattern.

[karelz]

Are you able to isolate the repro into a minimal repro that we can look at / troubleshoot via logs?

[geoffkizer]

From looking at the Fiddler logs, it appears that the proxy isn't sending the "Proxy-Support: Session-Based-Authentication" header, so we don't proceed with authentication, and you get a 401.

Note the issue here is with NT connection auth, not proxy auth. The proxy challenge seems to be handled fine.

It looks like this is a known issue with Fiddler: https://fiddler.ideas.aha.io/ideas/FID-I-292

[juliobbv]

@karelz @geoffkizer thanks for the help. Let me see if the issue repro's with another proxy, and reply back with my results.

[juliobbv]

Good news @karelz, @geoffkizer: I tried the same scenario with Charles Proxy, and things started working. I'll close this issue as it's related to Fiddler and not to .NET Core.

cc @TingluoHuang for awareness.