AnsweredAssumed Answered

PKI Authentication Crash

Question asked by KevinSayer on Oct 22, 2018
Latest reply on Oct 22, 2018 by KevinSayer

Hi Guys,

 

Does anyone have an answer to these issues please, especially the crashing one?

 

Issue 1:
We have an application that uses PKI authentication with ArcGISPortal but we seem to experience an intermittent crash due to a null certificate getting into the X509CertificateCollection on the HttpClientHandler.

 

There are 2 places where the application can intermittently crash (X509CertificateCollection.GetHashCode and x509CertificateCollection.Contains) but both cases are due to the same reason. i.e A null certificate entry in the handler's collection.

 

I have attached images that show the call stacks for both crashes and also the certificate collection contents where you can clearly see the null certificate entry.  It's worth noting that one of the call stacks contains an ArcGISHttpClientHandler and the other just uses a standard HttpClientHandler, yet both result from calling await PortalItem.Thumbnail.ToImageSourceAsync()

 

I have also attached a simple demonstration application but you will need a Portal instance with PKI setup to test it.  You will also need to update the hard coded portal uri and certificate thumbprint as detailed in the source file comments.

 

The application automatically connects to a portal instance on startup using the certificate with the hard coded thumbprint.  The displayed "Portal User" is updated once connected and it then goes on to fetch a list of all the available base maps.  A thumbnail image is then fetched for each basemap and these images are each displayed on separate buttons.  The button handlers are not wired up in this application.

 

The "Create Portal" button and the checkbox beside it can be ignored for now.

 

Steps to reproduce:
Just keep restarting the application and eventually you should get one of the two exceptions mentioned above.  If you get to the point where the images start appearing then you may as well quit and restart as the problem will not occur after that.

 


Issue 2:
We also have a use case for clearing the SSL state and reconnecting with a different client certificate.  The Esri documentation states that removing the certificate credential from the AuthenticationManager's credential collection should result in you getting challenged again on the next  request.  This does indeed seem to be the case but if you choose a different certificate the connection then fails with the following error, "Your login session has been reset. Please try again."  Trying again with the new certificate succeeds on the second attempt but having to do this twice is not a great UX.

 

Steps to reproduce:
Assuming you have more than one valid client certificate installed and they're both mapped to portal users, after the initial load succeeds, uncheck the "Use default client certificate" check box and press the "Create Portal" button.  This will attempt to create a new portal instance, prompting you to select a client certificate, at which point you should select a certificate with a different thumbprint to the hard coded one.

 

The connection will fail and display the exception message in a dialog box.  Dismiss the dialog box and try again with the same certificate - Assuming it's a valid certificate that has been correctly mapped, It will succeed on this second attempt.

 

I have tried to tear down the SSL connection in the Reset method but unfortunately this doesn't make any difference.  The code also uses reflection which is obviously a bit hacky but unfortunately the .net framework doesn't support this through the ServicePoint API.  Although this Reset method is called on every connection, it's definitely not the reason for the first crashing issue as that still happens with the Reset method removed.

 

The problem was originally noticed on 100.3.0 but I've just updated it to work against 100.4.0 which was released last week.  I was hoping that might fix it but unfortunately the crash is still present.

 

Any comments and/or workarounds would be appreciated.

 

Regards,
Kevin

Outcomes