WindowsIdentity.RunImpersonated sending wrong credentials

[daniilzaonegin]

Hi all!

I'm experiencing the problem described in issue #38414.

I have a ASP.NET Core app with a Middleware, that authenticate user via windows authentication and runs under his account an http-request to get a jwt-token.

Startup.cs

 public class Startup
    {
      //...
      //omitted for brevity
      //...
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddDistributedMemoryCache();
            services.AddSession(conf => conf.Cookie.MaxAge = TimeSpan.FromMinutes(30));
            services.AddAuthentication(IISDefaults.AuthenticationScheme).AddIdentityServerAuthentication(JwtBearerDefaults.AuthenticationScheme, options =>
            {
                options.Authority = _configuration.GetValue<string>("IdentityServer");
                options.SupportedTokens = SupportedTokens.Both;
                options.ApiSecret = _configuration.GetValue<string>("ClientSecret");
                options.RequireHttpsMetadata = false;
            });
            services.AddHttpClient(ServiceConsts.ImpersonatedHttpClientName)
                .ConfigurePrimaryHttpMessageHandler(_ =>
                    new SocketsHttpHandler()
                    {
                        UseProxy = false,
                        Credentials = CredentialCache.DefaultCredentials
                    });

            services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders =
                    ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;

                options.KnownNetworks.Clear();
                options.KnownProxies.Clear();
            });
          //...
          //omitted for brevity
          //...
        }
      
       public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseSession();
            
            app.UseAuthentication();
            app.UseAuthorization();
            app.UseForwardedHeaders();
            app.Use(async (context, next) =>
            {
                string ip = context.Connection.RemoteIpAddress.ToString();
                context.Request.Headers[ForwardedIpToken] = ip;
                await next.Invoke();
            });
            app.UseMiddleware<WinTokenMiddleware>();
            app.UseOcelot().Wait();
        }

      //...
      //omitted for brevity
      //...
}

WinTokenMiddleware.cs

   [SupportedOSPlatform("windows")]
    public class WinTokenMiddleware
    {
        private readonly RequestDelegate _next;
        private readonly IConfiguration _configuration;
        private readonly IHttpClientFactory _httpClientFactory;
        private static readonly ILogger Logger = Log.ForContext<WinTokenMiddleware>();
        private const string TokenSessionKey = "AuthToken";

        public WinTokenMiddleware(RequestDelegate next, IConfiguration configuration, IHttpClientFactory httpClientFactory)
        {
            _next = next;
            _configuration = configuration;
            _httpClientFactory = httpClientFactory;
        }

        // ReSharper disable once UnusedMember.Global
        public async Task InvokeAsync(HttpContext context)
        {
           //...
           //... omitted for brevity
           //...
                AuthenticateResult winAuthenticateResult = await context.AuthenticateAsync(IISServerDefaults.AuthenticationScheme);
                if (!winAuthenticateResult.Succeeded)
                {
                    await context.ChallengeAsync(IISDefaults.AuthenticationScheme);
                    return;
                }

                if (!(winAuthenticateResult?.Principal?.Identity is WindowsIdentity windowsIdentity))
                {
                    Logger.Warning("Couldn't get user windows account!'");
                    await WriteErrorResponse(context,
                        "Couldn't get user windows account! Please enable windows authentication on server.");
                    return;
                }
           //...
           //... omitted for brevity
           //...
                TokenResponse tokenResponse = await WindowsIdentity.RunImpersonated(
                        windowsIdentity.AccessToken,
                        () =>
                        {
                            Logger.Debug($"Current user {WindowsIdentity.GetCurrent().Name}");
                            HttpClient impersonatedClient = _httpClientFactory.CreateClient(ServiceConsts.ImpersonatedHttpClientName);

                            //получаем токен под пользователем
                            return impersonatedClient.RequestTokenAsync(new TokenRequest()
                            {
                                Address = disco.TokenEndpoint,

                                ClientId = _configuration.GetValue<string>("ClientId"),
                                ClientSecret = _configuration.GetValue<string>("ClientSecret"),
                                GrantType = "windows"

                            });
                        });
//...
//... omitted for brevity
//...
        }
}

The Code above gets jwt-Token authenticated under user account with windows authentication.
When we deploy application, we see that users get tokens of other users. For example, if user A gets authenticated correctly and received his token, and few seconds later comes user B, he gets authenticated by user A and therefore gets the wrong token.

If I set PooledConnectionLifetime to TimeSpan.Zero, it works as expected

            services.AddHttpClient(ServiceConsts.ImpersonatedHttpClientName)
                .ConfigurePrimaryHttpMessageHandler(_ =>
                    new SocketsHttpHandler()
                    {
                        UseProxy = false,
                        Credentials = CredentialCache.DefaultCredentials,
                        PreAuthenticate = false,
                        PooledConnectionLifetime = TimeSpan.Zero
                    });

The service is running on net5.0 on windows server 2016, IIS 10.

Is this a bug or am I doing it the wrong way?

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[Tratcher]

await WindowsIdentity.RunImpersonated(

This is a bit of a trap. RunImpersonated Takes a Func<T> and reverts the impersonation when the Func exits. You're returning a Task and waiting for the task outside of the impersonation. That can end up reverting the impersonation in the middle of the operation.

.NET 5 added RunImersonatedAsync to mitigate this issue. Try that and see if it helps.
https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.runimpersonatedasync?view=net-5.0

[Tratcher]

For example, if user A gets authenticated correctly and received his token, and few seconds later comes user B, he gets authenticated by user A and therefore gets the wrong token.

This sounds like HttpClient failing to account for the impersonation context when selecting pooled connections. Transferring back to runtime for followup.

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Hi all!

I'm experiencing the problem described in issue #38414.

I have a ASP.NET Core app with a Middleware, that authenticate user via windows authentication and runs under his account an http-request to get a jwt-token.

Startup.cs

 public class Startup
    {
      //...
      //omitted for brevity
      //...
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddDistributedMemoryCache();
            services.AddSession(conf => conf.Cookie.MaxAge = TimeSpan.FromMinutes(30));
            services.AddAuthentication(IISDefaults.AuthenticationScheme).AddIdentityServerAuthentication(JwtBearerDefaults.AuthenticationScheme, options =>
            {
                options.Authority = _configuration.GetValue<string>("IdentityServer");
                options.SupportedTokens = SupportedTokens.Both;
                options.ApiSecret = _configuration.GetValue<string>("ClientSecret");
                options.RequireHttpsMetadata = false;
            });
            services.AddHttpClient(ServiceConsts.ImpersonatedHttpClientName)
                .ConfigurePrimaryHttpMessageHandler(_ =>
                    new SocketsHttpHandler()
                    {
                        UseProxy = false,
                        Credentials = CredentialCache.DefaultCredentials
                    });

            services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders =
                    ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;

                options.KnownNetworks.Clear();
                options.KnownProxies.Clear();
            });
          //...
          //omitted for brevity
          //...
        }
      
       public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseSession();
            
            app.UseAuthentication();
            app.UseAuthorization();
            app.UseForwardedHeaders();
            app.Use(async (context, next) =>
            {
                string ip = context.Connection.RemoteIpAddress.ToString();
                context.Request.Headers[ForwardedIpToken] = ip;
                await next.Invoke();
            });
            app.UseMiddleware<WinTokenMiddleware>();
            app.UseOcelot().Wait();
        }

      //...
      //omitted for brevity
      //...
}

WinTokenMiddleware.cs

   [SupportedOSPlatform("windows")]
    public class WinTokenMiddleware
    {
        private readonly RequestDelegate _next;
        private readonly IConfiguration _configuration;
        private readonly IHttpClientFactory _httpClientFactory;
        private static readonly ILogger Logger = Log.ForContext<WinTokenMiddleware>();
        private const string TokenSessionKey = "AuthToken";

        public WinTokenMiddleware(RequestDelegate next, IConfiguration configuration, IHttpClientFactory httpClientFactory)
        {
            _next = next;
            _configuration = configuration;
            _httpClientFactory = httpClientFactory;
        }

        // ReSharper disable once UnusedMember.Global
        public async Task InvokeAsync(HttpContext context)
        {
           //...
           //... omitted for brevity
           //...
                AuthenticateResult winAuthenticateResult = await context.AuthenticateAsync(IISServerDefaults.AuthenticationScheme);
                if (!winAuthenticateResult.Succeeded)
                {
                    await context.ChallengeAsync(IISDefaults.AuthenticationScheme);
                    return;
                }

                if (!(winAuthenticateResult?.Principal?.Identity is WindowsIdentity windowsIdentity))
                {
                    Logger.Warning("Couldn't get user windows account!'");
                    await WriteErrorResponse(context,
                        "Couldn't get user windows account! Please enable windows authentication on server.");
                    return;
                }
           //...
           //... omitted for brevity
           //...
                TokenResponse tokenResponse = await WindowsIdentity.RunImpersonated(
                        windowsIdentity.AccessToken,
                        () =>
                        {
                            Logger.Debug($"Current user {WindowsIdentity.GetCurrent().Name}");
                            HttpClient impersonatedClient = _httpClientFactory.CreateClient(ServiceConsts.ImpersonatedHttpClientName);

                            //получаем токен под пользователем
                            return impersonatedClient.RequestTokenAsync(new TokenRequest()
                            {
                                Address = disco.TokenEndpoint,

                                ClientId = _configuration.GetValue<string>("ClientId"),
                                ClientSecret = _configuration.GetValue<string>("ClientSecret"),
                                GrantType = "windows"

                            });
                        });
//...
//... omitted for brevity
//...
        }
}

The Code above gets jwt-Token authenticated under user account with windows authentication.
When we deploy application, we see that users get tokens of other users. For example, if user A gets authenticated correctly and received his token, and few seconds later comes user B, he gets authenticated by user A and therefore gets the wrong token.

If I set PooledConnectionLifetime to TimeSpan.Zero, it works as expected

            services.AddHttpClient(ServiceConsts.ImpersonatedHttpClientName)
                .ConfigurePrimaryHttpMessageHandler(_ =>
                    new SocketsHttpHandler()
                    {
                        UseProxy = false,
                        Credentials = CredentialCache.DefaultCredentials,
                        PreAuthenticate = false,
                        PooledConnectionLifetime = TimeSpan.Zero
                    });

The service is running on net5.0 on windows server 2016, IIS 10.

Is this a bug or am I doing it the wrong way?

Author:	daniilzaonegin
Assignees:	-
Labels:	area-System.Net.Http, untriaged
Milestone:	-

[daniilzaonegin]

Thanks for reply! But I've tried this

                TokenResponse tokenResponse = await WindowsIdentity.RunImpersonatedAsync(
                        windowsIdentity.AccessToken,
                        async () =>
                        {
                            Logger.Debug($"Current user {WindowsIdentity.GetCurrent().Name}");
                            HttpClient impersonatedClient = _httpClientFactory.CreateClient(ServiceConsts.ImpersonatedHttpClientName);

                            return await impersonatedClient.RequestTokenAsync(new TokenRequest()
                            {
                                Address = disco.TokenEndpoint,

                                ClientId = _configuration.GetValue<string>("ClientId"),
                                ClientSecret = _configuration.GetValue<string>("ClientSecret"),
                                GrantType = "windows"

                            });
                        });

Startup.cs

            services.AddHttpClient(ServiceConsts.ImpersonatedHttpClientName)
                .ConfigurePrimaryHttpMessageHandler(_ =>
                    new SocketsHttpHandler()
                    {
                        UseProxy = false,
                        Credentials = CredentialCache.DefaultCredentials
                    });

Issue is still present. When I open page under first account I receive correct token, when I open page under different account after that, I receive token of previous user.

[Tratcher]

Can you confirm the issue goes away if you create a new HttpClient instance for each call to RequestTokenAsync (without the factory) and dispose it afterwards? That should help confirm if it's a connection pooling issue.

[daniilzaonegin]

Yes, issue goes away if I create a new HttpClient instance for each call to RequestTokenAsync. It also goes away when I set up HttpClient not to use connection pooling like this PooledConnectionLifetime = TimeSpan.Zero

            services.AddHttpClient(ServiceConsts.ImpersonatedHttpClientName)
                .ConfigurePrimaryHttpMessageHandler(_ =>
                    new SocketsHttpHandler()
                    {
                        UseProxy = false,
                        Credentials = CredentialCache.DefaultCredentials,
                        PooledConnectionLifetime = TimeSpan.Zero
                    });

[daniilzaonegin]

Just checked, this works

TokenResponse tokenResponse = await WindowsIdentity.RunImpersonatedAsync(
                        windowsIdentity.AccessToken,
                        async () =>
                        {
                            Logger.Debug($"Current user {WindowsIdentity.GetCurrent().Name}");
                            using HttpClient impersonatedClient = new HttpClient(new HttpClientHandler(){UseDefaultCredentials = true});

                            //получаем токен под пользователем
                            return await impersonatedClient.RequestTokenAsync(new TokenRequest()
                            {
                                Address = disco.TokenEndpoint,

                                ClientId = _configuration.GetValue<string>("ClientId"),
                                ClientSecret = _configuration.GetValue<string>("ClientSecret"),
                                GrantType = "windows"

                            });
                        });

But it isn't optimal solution, because it could lead to socket exhaustion.

[geoffkizer]

We have code to handle this here: https://github.com/dotnet/runtime/blob/main/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPoolManager.cs#L281

Sounds like something is broken somewhere, though...

[geoffkizer]

@alnikola Can you take a look at this?