Fix | Fixed GenerateSspiClientContext to retry negotiation with default port (#2559)

arellegue · mdaigle · commit 8401a77c0cb1 · 2024-06-20T11:17:46.000-07:00
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/NegotiateSSPIContextProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SSPI/NegotiateSSPIContextProvider.cs
@@ -14,13 +14,25 @@ internal sealed class NegotiateSSPIContextProvider : SSPIContextProvider
 
         internal override void GenerateSspiClientContext(ReadOnlyMemory<byte> received, ref byte[] sendBuff, ref uint sendLength, byte[][] _sniSpnBuffer)
         {
-            _negotiateAuth ??= new(new NegotiateAuthenticationClientOptions { Package = "Negotiate", TargetName = Encoding.Unicode.GetString(_sniSpnBuffer[0]) });
-            sendBuff = _negotiateAuth.GetOutgoingBlob(received.Span, out NegotiateAuthenticationStatusCode statusCode)!;
-            SqlClientEventSource.Log.TryTraceEvent("TdsParserStateObjectManaged.GenerateSspiClientContext | Info | Session Id {0}, StatusCode={1}", _physicalStateObj.SessionId, statusCode);
+            NegotiateAuthenticationStatusCode statusCode = NegotiateAuthenticationStatusCode.UnknownCredentials;
+
+            for (int i = 0; i < _sniSpnBuffer.Length; i++)
+            {
+                _negotiateAuth ??= new(new NegotiateAuthenticationClientOptions { Package = "Negotiate", TargetName = Encoding.Unicode.GetString(_sniSpnBuffer[i]) });
+                sendBuff = _negotiateAuth.GetOutgoingBlob(received.Span, out statusCode)!;
+                // Log session id, status code and the actual SPN used in the negotiation
+                SqlClientEventSource.Log.TryTraceEvent("TdsParserStateObjectManaged.GenerateSspiClientContext | Info | Session Id {0}, StatusCode={1}, SPN={2}", _physicalStateObj.SessionId, statusCode, _negotiateAuth.TargetName);
+                if (statusCode == NegotiateAuthenticationStatusCode.Completed || statusCode == NegotiateAuthenticationStatusCode.ContinueNeeded)
+                    break; // Successful case, exit the loop with current SPN.
+                else
+                    _negotiateAuth = null; // Reset _negotiateAuth to be generated again for next SPN.
+            }
+
             if (statusCode is not NegotiateAuthenticationStatusCode.Completed and not NegotiateAuthenticationStatusCode.ContinueNeeded)
             {
                 throw new InvalidOperationException(SQLMessage.SSPIGenerateError() + Environment.NewLine + statusCode);
             }
+
             sendLength = (uint)(sendBuff != null ? sendBuff.Length : 0);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -14,13 +14,25 @@ internal sealed class NegotiateSSPIContextProvider : SSPIContextProvider`
`14`	`14`
`15`	`15`	`internal override void GenerateSspiClientContext(ReadOnlyMemory<byte> received, ref byte[] sendBuff, ref uint sendLength, byte[][] _sniSpnBuffer)`
`16`	`16`	`{`
`17`		`- _negotiateAuth ??= new(new NegotiateAuthenticationClientOptions { Package = "Negotiate", TargetName = Encoding.Unicode.GetString(_sniSpnBuffer[0]) });`
`18`		`- sendBuff = _negotiateAuth.GetOutgoingBlob(received.Span, out NegotiateAuthenticationStatusCode statusCode)!;`
`19`		`- SqlClientEventSource.Log.TryTraceEvent("TdsParserStateObjectManaged.GenerateSspiClientContext \| Info \| Session Id {0}, StatusCode={1}", _physicalStateObj.SessionId, statusCode);`
	`17`	`+ NegotiateAuthenticationStatusCode statusCode = NegotiateAuthenticationStatusCode.UnknownCredentials;`
	`18`	`+`
	`19`	`+ for (int i = 0; i < _sniSpnBuffer.Length; i++)`
	`20`	`+ {`
	`21`	`+ _negotiateAuth ??= new(new NegotiateAuthenticationClientOptions { Package = "Negotiate", TargetName = Encoding.Unicode.GetString(_sniSpnBuffer[i]) });`
	`22`	`+ sendBuff = _negotiateAuth.GetOutgoingBlob(received.Span, out statusCode)!;`
	`23`	`+ // Log session id, status code and the actual SPN used in the negotiation`
	`24`	`+ SqlClientEventSource.Log.TryTraceEvent("TdsParserStateObjectManaged.GenerateSspiClientContext \| Info \| Session Id {0}, StatusCode={1}, SPN={2}", _physicalStateObj.SessionId, statusCode, _negotiateAuth.TargetName);`
	`25`	`+ if (statusCode == NegotiateAuthenticationStatusCode.Completed \|\| statusCode == NegotiateAuthenticationStatusCode.ContinueNeeded)`
	`26`	`+ break; // Successful case, exit the loop with current SPN.`
	`27`	`+ else`
	`28`	`+ _negotiateAuth = null; // Reset _negotiateAuth to be generated again for next SPN.`
	`29`	`+ }`
	`30`	`+`
`20`	`31`	`if (statusCode is not NegotiateAuthenticationStatusCode.Completed and not NegotiateAuthenticationStatusCode.ContinueNeeded)`
`21`	`32`	`{`
`22`	`33`	`throw new InvalidOperationException(SQLMessage.SSPIGenerateError() + Environment.NewLine + statusCode);`
`23`	`34`	`}`
	`35`	`+`
`24`	`36`	`sendLength = (uint)(sendBuff != null ? sendBuff.Length : 0);`
`25`	`37`	`}`
`26`	`38`	`}`