Disable user mapper for SslStream on Windows#80886
Conversation
|
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsThis is small perf improvement on Windows server connected to AD. Schannel by default (for legacy reasons) tries to resolve user identity by querying AD with provided client certificate. That allows to get user identity and/or server can impersonate the client. This would work if we use QuerySecurityContextToken function to retrieve it. (https://learn.microsoft.com/en-us/windows/win32/secauthn/mapping-certificates) But we don't (and caller cannot either) so this is complete waste. The existing code was attempt to suppress it for the new scenario (as this also changes advertised CAs) and this change will just make it default. This can be re-visited in future if we want to support the scenario (windows only) fixes #78350
|
|
Spanish windows test failures are #74838 |
ghost
locked as resolved and limited conversation to collaborators
4 participants
This is small perf improvement on Windows server connected to AD. Schannel by default (for legacy reasons) tries to resolve user identity by querying AD with provided client certificate. That allows to get user identity and/or server can impersonate the client. This would work if we use QuerySecurityContextToken function to retrieve it. (https://learn.microsoft.com/en-us/windows/win32/secauthn/mapping-certificates) But we don't (and caller cannot either) so this is complete waste.
The existing code was attempt to suppress it for the new scenario (as this also changes advertised CAs) and this change will just make it default. This can be re-visited in future if we want to support the scenario (windows only)
cc: @Tratcher @mconnew
fixes #78350