Net 6 httpclient 401 large requests

[Harpush]

Description

I am migrating a net framework app to net 6. The app uses kerberos with delegation and impersonation. The net 6 app is self contained on iis with both windows and anonymous enabled. Httpclient uses WinHttpHandler with defaults credentials cache.

The app calls another net framework app (unchanged and works). After upgrading to net 6 I am getting sporadic 401 errors. It only happens when both apps are on the same machine (two pools) and when going through DNS name (with SPN configured for kerberos) and only with large post body requests.
When sending small body in those posts request everything works fine. Same if calling the same machine IP directly and same when calling the framework app on another machine.

It doesn't always happen but the larger the request the more often it happens.

Reproduction Steps

Not sure it is possible with all those specific setups...

Expected behavior

Should always work without those 401

Actual behavior

Getting sporadic 401

Regression?

Worked in net framework with web client

Known Workarounds

No response

Configuration

Net 6 self contained on iis

Other information

No response

[antonfirsov]

@Harpush this is not actionable with the information provided. We would need packet captures, and at least some code from the client side to see what your application is doing.

[Harpush]

@Harpush this is not actionable with the information provided. We would need packet captures, and at least some code from the client side to see what your application is doing.

Sure I will add a code snippet - though it is pretty standard (http client with winhttphandler).
Concerning packet captures - how can I do it?

[antonfirsov]

Concerning packet captures - how can I do it?

On Windows the easiest way is Wireshark.

Httpclient uses WinHttpHandler

Any reason for not switching to SocketsHttpHandler?

[Harpush]

Concerning packet captures - how can I do it?

On Windows the easiest way is Wireshark.

Httpclient uses WinHttpHandler

Any reason for not switching to SocketsHttpHandler?

I hope I can use it on the machine... Not sure IT will approve of it.

SocketsHttpHandler has a weird bug that kerberos delegation second hop to a wcf service always fail (net core to net framework to wcf).
WinHttpHandler doesn't have that problem.
I also don't use HttpClientFactory due to kerberos credentials cache resulting in users authenticating as other users.

[antonfirsov]

SocketsHttpHandler has a weird bug that kerberos delegation second hop to a wcf service always fail (net core to net framework to wcf).

@wfurt @rzikm any thoughts on this?

[wfurt]

I think this may be dup of #29587 but it is hard to know without more details. But it would not explain why that happens only on large requests. There is logic to abandon large bodies instead of draining them. I would also suggest to set 100Contine as it may help.

[Harpush]

@antonfirsov The code is something close to (don't have the code in front of me):

string res = await WindowsIdentity.RunImpersonatedAsync(
    ((WindowsIdentity)_httpContextAccessor.HttpContext.User.Identity).AccessToken,
    async () =>
    {
        WinHttpHandler handler = new WinHttpHandler()
        {
            ServerCredentials = CredentialCache.DefaultCredentials,
            SendTimeout = TimeSpan.FromMinutes(30),
            ReceiveDataTimeout = TimeSpan.FromMinutes(30),
            ReceiveHeadersTimeout = TimeSpan.FromMinutes(30)
        };

        using (HttpClient client = new HttpClient(handler))
        {
            HttpRequestMessage msg = await client.SendAsync(...);
            return await msg.Content.ReadAsStringAsync();
        }
    }
);

@wfurt I am pretty sure I tried it to no avail - but just to make sure can you explain where to set it?

[Harpush]

I think this may be dup of #29587 but it is hard to know without more details. But it would not explain why that happens only on large requests. There is logic to abandon large bodies instead of draining them. I would also suggest to set 100Contine as it may help.

I am not sure if it is related... The odd behavior in my case is it doesn't happen always on large requests but pretty often. On small requests it never happens. And when doing cross machines calls the problem doesn't exist too. It only happens when calling the same machine I am on through DNS and kerberos SPN as IP works and localhost works. It happens even when there is no load balancer and one machine only.

[ManickaP]

Expect 100-continue: https://learn.microsoft.com/en-us/dotnet/api/system.net.http.headers.httprequestheaders.expectcontinue?view=net-8.0
Getting packet captures: https://www.wireshark.org/

Packet capture for the 401 error would be probably the best now. This is still non-actionable for us as it is now.

[Harpush]

Was on a vacation... I have yet to succeed with Wireshark as I haven't got IT approval for it.
Anyway I think the issue either goes away or happens much less when using a singleton WinHttpHandler.
Does it help somehow?

[Harpush]

So I tried Wireshark. It seems I can't make it work for loopback calls. The machine calls itself (to another iis pool) and Wireshark can't seem to record loopback card.
Any idea?

[wfurt]

Install ncap https://npcap.com/#download
Normally that would be part of Wireshark install. It allows to capture loopback traffic.

[dotnet-policy-service]

This issue has been marked needs-author-action and may be missing some important information.