Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GraphServiceClient hitting error 'A security error occurred' #2782

Open
isPhilo opened this issue Dec 19, 2024 · 2 comments
Open

GraphServiceClient hitting error 'A security error occurred' #2782

isPhilo opened this issue Dec 19, 2024 · 2 comments
Labels
Needs: Attention 👋 Status: Needs investigation

Comments

@isPhilo
Copy link

isPhilo commented Dec 19, 2024
edited
Loading

I am trying to support TLS 1.3 in our .Net Framework 4.8 C# application. Calling GraphServiceClient gives a security error when only TLS 1.3 is enabled but works when both TLS 1.2 and 1.3 are enabled.

Error:
System.Net.Http.HttpRequestException
HResult=0x80131500
Message=An error occurred while sending the request.
Source=mscorlib
StackTrace:
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Kiota.Http.HttpClientLibrary.Middleware.BodyInspectionHandler.d__2.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Kiota.Http.HttpClientLibrary.Middleware.HeadersInspectionHandler.d__2.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Microsoft.Kiota.Http.HttpClientLibrary.Middleware.RedirectHandler.d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Kiota.Http.HttpClientLibrary.Middleware.RetryHandler.d__7.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Kiota.Http.HttpClientLibrary.Middleware.UriReplacementHandler1.<SendAsync>d__2.MoveNext() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.<GetHttpResponseMessageAsync>d__33.MoveNext() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.<SendAsync>d__201.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.Me.MeRequestBuilder.d__151.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at TestMsGraphTls13.Program.

d__0.MoveNext() in C:\Users\administrator.xxx\Source\Repos\TestMsGraphTls13\TestMsGraphTls13\Program.cs:line 25
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at TestMsGraphTls13.Program.(String[] args)

This exception was originally thrown at this call stack:
System.Threading.Tasks.RendezvousAwaitable.GetResult()
System.Net.Http.WinHttpHandler.StartRequestAsync(System.Net.Http.WinHttpRequestState)

Inner Exception 1:
WinHttpException: Error 12175 calling WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, 'A security error occurred'.

Code:
I created a standalone console app with these lines
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;

string[] scopes = { "User.Read.All" };
var usernamePasswordCredential = new UsernamePasswordCredential("user", "passw!", "tenantid", "clientid");

GraphServiceClient graphClient = new GraphServiceClient(usernamePasswordCredential, scopes);
var me = await graphClient.Me.GetAsync();

Works with both TLS 1.2 and 1.3 enabled
Fails when only TLS 1.3 is enabled.
Wireshark shows connnection with login.microsoft.com using tls 1.3 but then trying to use tls 1.2 with graph.microsoft.com

Created another console app using only httpclient to get auth code and then get users from graph.microsoft.com. httpclient only code works with only tls 1.3 enabled and confirmed in wireshark.

I think this rules out most environment misconfiguration.

Does graphserviceclient and WinHttp support TLS 1.3 or am I missing some other TLS configuration for graphserviceclient to work with TLS 1.3 only.

Similar issue: #2176

Windows Server 2022 standard(updated)
Visual studio 2019
Console App for graph service client uses latest stable Dlls from nuget.
@isPhilo isPhilo added the status:waiting-for-triage An issue that is yet to be reviewed or assigned label Dec 19, 2024
@andrueastman
Copy link
Member

Thanks for raising this @isPhilo

Are you by any chance able to replicate this if you add a reference to the latest version of this package to your project? https://www.nuget.org/packages/System.Net.Http.WinHttpHandler/#versions-body-tab

@andrueastman andrueastman added Status: Needs investigation status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned labels Jan 8, 2025
@isPhilo
Copy link
Author

isPhilo commented Jan 9, 2025
edited
Loading

Hi @andrueastman

I am already using the latest versions of the packages

<packages> <package id="Azure.Core" version="1.44.1" targetFramework="net48" /> <package id="Azure.Identity" version="1.13.1" targetFramework="net48" /> <package id="Microsoft.Bcl.AsyncInterfaces" version="9.0.0" targetFramework="net48" /> <package id="Microsoft.Bcl.TimeProvider" version="9.0.0" targetFramework="net48" /> <package id="Microsoft.Graph" version="5.67.0" targetFramework="net48" /> <package id="Microsoft.Graph.Core" version="3.2.1" targetFramework="net48" /> <package id="Microsoft.Identity.Client" version="4.66.2" targetFramework="net48" /> <package id="Microsoft.Identity.Client.Extensions.Msal" version="4.66.2" targetFramework="net48" /> <package id="Microsoft.IdentityModel.Abstractions" version="8.3.0" targetFramework="net48" /> <package id="Microsoft.IdentityModel.JsonWebTokens" version="8.3.0" targetFramework="net48" /> <package id="Microsoft.IdentityModel.Logging" version="8.3.0" targetFramework="net48" /> <package id="Microsoft.IdentityModel.Protocols" version="8.3.0" targetFramework="net48" /> <package id="Microsoft.IdentityModel.Protocols.OpenIdConnect" version="8.3.0" targetFramework="net48" /> <package id="Microsoft.IdentityModel.Tokens" version="8.3.0" targetFramework="net48" /> <package id="Microsoft.IdentityModel.Validators" version="8.3.0" targetFramework="net48" /> <package id="Microsoft.Kiota.Abstractions" version="1.16.0" targetFramework="net48" /> <package id="Microsoft.Kiota.Authentication.Azure" version="1.16.0" targetFramework="net48" /> <package id="Microsoft.Kiota.Http.HttpClientLibrary" version="1.16.0" targetFramework="net48" /> <package id="Microsoft.Kiota.Serialization.Form" version="1.16.0" targetFramework="net48" /> <package id="Microsoft.Kiota.Serialization.Json" version="1.16.0" targetFramework="net48" /> <package id="Microsoft.Kiota.Serialization.Multipart" version="1.16.0" targetFramework="net48" /> <package id="Microsoft.Kiota.Serialization.Text" version="1.16.0" targetFramework="net48" /> <package id="Microsoft.NETCore.Platforms" version="7.0.4" targetFramework="net48" /> <package id="NETStandard.Library" version="2.0.3" targetFramework="net48" /> <package id="Std.UriTemplate" version="2.0.1" targetFramework="net48" /> <package id="System.Buffers" version="4.6.0" targetFramework="net48" /> <package id="System.ClientModel" version="1.2.1" targetFramework="net48" /> <package id="System.Diagnostics.DiagnosticSource" version="9.0.0" targetFramework="net48" /> <package id="System.IdentityModel.Tokens.Jwt" version="8.3.0" targetFramework="net48" /> <package id="System.IO.FileSystem.AccessControl" version="5.0.0" targetFramework="net48" /> <package id="System.IO.Pipelines" version="9.0.0" targetFramework="net48" /> <package id="System.Memory" version="4.6.0" targetFramework="net48" /> <package id="System.Memory.Data" version="9.0.0" targetFramework="net48" /> <package id="System.Net.Http.WinHttpHandler" version="9.0.0" targetFramework="net48" /> <package id="System.Numerics.Vectors" version="4.6.0" targetFramework="net48" /> <package id="System.Runtime.CompilerServices.Unsafe" version="6.1.0" targetFramework="net48" /> <package id="System.Security.AccessControl" version="6.0.1" targetFramework="net48" /> <package id="System.Security.Claims" version="4.3.0" targetFramework="net48" /> <package id="System.Security.Cryptography.ProtectedData" version="9.0.0" targetFramework="net48" /> <package id="System.Security.Principal.Windows" version="5.0.0" targetFramework="net48" /> <package id="System.Text.Encoding" version="4.3.0" targetFramework="net48" /> <package id="System.Text.Encodings.Web" version="9.0.0" targetFramework="net48" /> <package id="System.Text.Json" version="9.0.0" targetFramework="net48" /> <package id="System.Threading.Tasks.Extensions" version="4.6.0" targetFramework="net48" /> <package id="System.ValueTuple" version="4.5.0" targetFramework="net48" /> <package id="Tavis.UriTemplates" version="2.0.0" targetFramework="net48" /> </packages>

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 and removed status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close labels Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Attention 👋 Status: Needs investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrueastman @isPhilo