PKI Authentication Crash

4839
3
Jump to solution
10-22-2018 04:26 AM
KevinSayer
New Contributor III

Hi Guys,

Does anyone have an answer to these issues please, especially the crashing one?

Issue 1:
We have an application that uses PKI authentication with ArcGISPortal but we seem to experience an intermittent crash due to a null certificate getting into the X509CertificateCollection on the HttpClientHandler.

There are 2 places where the application can intermittently crash (X509CertificateCollection.GetHashCode and x509CertificateCollection.Contains) but both cases are due to the same reason. i.e A null certificate entry in the handler's collection.

I have attached images that show the call stacks for both crashes and also the certificate collection contents where you can clearly see the null certificate entry.  It's worth noting that one of the call stacks contains an ArcGISHttpClientHandler and the other just uses a standard HttpClientHandler, yet both result from calling await PortalItem.Thumbnail.ToImageSourceAsync()

I have also attached a simple demonstration application but you will need a Portal instance with PKI setup to test it.  You will also need to update the hard coded portal uri and certificate thumbprint as detailed in the source file comments.

The application automatically connects to a portal instance on startup using the certificate with the hard coded thumbprint.  The displayed "Portal User" is updated once connected and it then goes on to fetch a list of all the available base maps.  A thumbnail image is then fetched for each basemap and these images are each displayed on separate buttons.  The button handlers are not wired up in this application.

The "Create Portal" button and the checkbox beside it can be ignored for now.

Steps to reproduce:
Just keep restarting the application and eventually you should get one of the two exceptions mentioned above.  If you get to the point where the images start appearing then you may as well quit and restart as the problem will not occur after that.


Issue 2:
We also have a use case for clearing the SSL state and reconnecting with a different client certificate.  The Esri documentation states that removing the certificate credential from the AuthenticationManager's credential collection should result in you getting challenged again on the next  request.  This does indeed seem to be the case but if you choose a different certificate the connection then fails with the following error, "Your login session has been reset. Please try again."  Trying again with the new certificate succeeds on the second attempt but having to do this twice is not a great UX.

Steps to reproduce:
Assuming you have more than one valid client certificate installed and they're both mapped to portal users, after the initial load succeeds, uncheck the "Use default client certificate" check box and press the "Create Portal" button.  This will attempt to create a new portal instance, prompting you to select a client certificate, at which point you should select a certificate with a different thumbprint to the hard coded one.

The connection will fail and display the exception message in a dialog box.  Dismiss the dialog box and try again with the same certificate - Assuming it's a valid certificate that has been correctly mapped, It will succeed on this second attempt.

I have tried to tear down the SSL connection in the Reset method but unfortunately this doesn't make any difference.  The code also uses reflection which is obviously a bit hacky but unfortunately the .net framework doesn't support this through the ServicePoint API.  Although this Reset method is called on every connection, it's definitely not the reason for the first crashing issue as that still happens with the Reset method removed.

The problem was originally noticed on 100.3.0 but I've just updated it to work against 100.4.0 which was released last week.  I was hoping that might fix it but unfortunately the crash is still present.

Any comments and/or workarounds would be appreciated.

Regards,
Kevin

Tags (2)
1 Solution

Accepted Solutions
MichaelBranscomb
Esri Frequent Contributor

Hi Kevin,

The crash reported in the original post (Issue 1) has been resolved in our daily builds and will be included in the upcoming 100.5 release (anticipated to release approx early-Q2). 

The second issue (Issue 2) can be resolved with the following code (note: you will need add a reference to System.Net.Http.WebRequest assembly if you don't have one already):

var credList = AuthenticationManager.Current.Credentials.ToList(); 
var clientHandler = new ArcGISHttpClientHandler(); 
foreach (var credential in credList) 
{ 
 if (credential.ServiceUri != null) 
 { 
 clientHandler.CookieContainer.GetCookies(credential.ServiceUri).Cast<Cookie>()?.ToList()?.ForEach(c => c.Expired = true); 
 } 
 AuthenticationManager.Current.RemoveCredential(credential); 
}

Thanks for posting such a detailed question and for the repro case - both make a big difference in helping us diagnose the underlying issue. Thanks also for the time you invested in verifying the fix for Issue 1 using our preview build and for the additional feedback you provided on feature/graphic selection, SketchEditor.EditConfiguration behavior, and potential API improvements for Issue 2 above.

Cheers

Mike

View solution in original post

3 Replies
dotMorten_esri
Esri Notable Contributor

Since you're seeing the callstack make it all the way into .net, which version of .NET are you targeting? Does the problem go away if you (as a test) upgrade to target 4.7.2 ?

0 Kudos
KevinSayer
New Contributor III

Thanks for the reply but the demo app I posted is already targeting 4.7.2

0 Kudos
MichaelBranscomb
Esri Frequent Contributor

Hi Kevin,

The crash reported in the original post (Issue 1) has been resolved in our daily builds and will be included in the upcoming 100.5 release (anticipated to release approx early-Q2). 

The second issue (Issue 2) can be resolved with the following code (note: you will need add a reference to System.Net.Http.WebRequest assembly if you don't have one already):

var credList = AuthenticationManager.Current.Credentials.ToList(); 
var clientHandler = new ArcGISHttpClientHandler(); 
foreach (var credential in credList) 
{ 
 if (credential.ServiceUri != null) 
 { 
 clientHandler.CookieContainer.GetCookies(credential.ServiceUri).Cast<Cookie>()?.ToList()?.ForEach(c => c.Expired = true); 
 } 
 AuthenticationManager.Current.RemoveCredential(credential); 
}

Thanks for posting such a detailed question and for the repro case - both make a big difference in helping us diagnose the underlying issue. Thanks also for the time you invested in verifying the fix for Issue 1 using our preview build and for the additional feedback you provided on feature/graphic selection, SketchEditor.EditConfiguration behavior, and potential API improvements for Issue 2 above.

Cheers

Mike