NTLM issues in some images

[mitch-b]

Describe the Bug

Using 7.0-jammy/8.0-jammy, 8.0-alpine images (linux-x64) and manually installing gss-ntlmssp library does not seem to allow NTLM authentication when using a WCF connected service in a .NET 8 Web API project.

When I converted my project down to 6.0-focal, it worked. Then I tried to understand if this was a .NET 7+ issue, but I eventually found that the 8.0-bookworm-slim image worked, so it didn't seem to be a .NET version, but seemed to be more tied to the base image.

In the -jammy and -alpine images, the error I would get when connecting to my WCF service was:

MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.

Steps to Reproduce

Dockerfile (that does not work):

#See https://aka.ms/customizecontainer to learn how to customize your debug container and how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy AS base

WORKDIR /app
EXPOSE 8080
EXPOSE 8081

RUN apt-get update && apt-get install -y \
	krb5-user \
	libkrb5-dev \
	gss-ntlmssp \
	&& rm -rf /var/lib/apt/lists/*

USER app

FROM mcr.microsoft.com/dotnet/sdk:8.0-jammy AS build
ARG BUILD_CONFIGURATION=Release
WORKDIR /src
COPY ["dotnet-ntlm-container-demo/NtlmDemo.csproj", "dotnet-ntlm-container-demo/"]
RUN dotnet restore "./dotnet-ntlm-container-demo/NtlmDemo.csproj"
COPY . .
WORKDIR "/src/dotnet-ntlm-container-demo"
RUN dotnet build "./NtlmDemo.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./NtlmDemo.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "NtlmDemo.dll"]

And a Dockerfile that works (Note: the only change is the image tag):

#See https://aka.ms/customizecontainer to learn how to customize your debug container and how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim AS base

WORKDIR /app
EXPOSE 8080
EXPOSE 8081

RUN apt-get update && apt-get install -y \
	krb5-user \
	libkrb5-dev \
	gss-ntlmssp \
	&& rm -rf /var/lib/apt/lists/*

USER app

FROM mcr.microsoft.com/dotnet/sdk:8.0-bookworm-slim AS build
ARG BUILD_CONFIGURATION=Release
WORKDIR /src
COPY ["dotnet-ntlm-container-demo/NtlmDemo.csproj", "dotnet-ntlm-container-demo/"]
RUN dotnet restore "./dotnet-ntlm-container-demo/NtlmDemo.csproj"
COPY . .
WORKDIR "/src/dotnet-ntlm-container-demo"
RUN dotnet build "./NtlmDemo.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./NtlmDemo.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "NtlmDemo.dll"]

Other Information

Output of docker version

Docker version 25.0.3, build 4debf41

[richlander]

I am looking for some help. I've not been successful in that so far. We'll have Ubuntu 24.04 images to try next month.

Any thoughts @filipnavara @mconnew @wfurt ?

[wfurt]

This looks like dotnet/runtime#67353. It got broken by moving OpenSSL 3.0. It was fixed upstream but took ages for Ubuntu to pick up the updated package. I think Ubuntu 23+ had the 1.XX ntlm-gss

[richlander]

When this PR merges, we will have noble images in our nightly repo. That will be enough to test.

#5241

[mitch-b]

Thanks for the reference, @wfurt . Merging the default openssl.cnf with what was mentioned in that issue gets things working in 8.0-jammy. I'm hopeful that noble images make this workaround no longer required.

dotnet/runtime#67353 (comment)

FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy AS base

WORKDIR /app
EXPOSE 8080
EXPOSE 8081

RUN apt-get update && apt-get install -y \
	krb5-user \
	libkrb5-dev \
	gss-ntlmssp \
	&& rm -rf /var/lib/apt/lists/*

###
### OpenSSL 3.0 fix by providing an override openssl.cnf file:
###
RUN echo "Copying openssl.cnf to /etc/ssl/openssl.cnf"
COPY ["dotnet-ntlm-container-demo/openssl.cnf", "openssl.cnf"]
RUN cp openssl.cnf /etc/ssl/openssl.cnf

USER app

...

[wfurt]

For reference, it was fixed back in 2022: gssapi/gss-ntlmssp#72 to fix gssapi/gss-ntlmssp#71 .

[richlander]

Thanks for sharing that @wfurt. That's VERY useful to share/persist.

[lbussell]

[Triage] Since there's a workaround available and the issue is with the OpenSSL configuration on Jammy (and not an issue with .NET or our Dockerfiles), closing this as not planned.