Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System.Security.Principal.Windows outerloop tests fail if run as non-admin #58207

Closed
Tracked by #64488
stephentoub opened this issue Aug 26, 2021 · 5 comments
Closed
Tracked by #64488

System.Security.Principal.Windows outerloop tests fail if run as non-admin #58207

stephentoub opened this issue Aug 26, 2021 · 5 comments
Labels
area-System.Security test-bug Problem in test source code (most likely)
Milestone
Future

Comments

@stephentoub
Copy link
Member 

    Discovering: System.Security.Principal.Windows.Tests (method display = ClassAndMethod, method display options = None)
    Discovered:  System.Security.Principal.Windows.Tests (found 30 test cases)
    Starting:    System.Security.Principal.Windows.Tests (parallel test collections = on, max threads = 12)
      WindowsIdentityImpersonatedTests.RunImpersonated_NameResolution [FAIL]
        System.AggregateException : One or more errors occurred. (Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu) (The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture)
        ---- System.Exception : Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu
        -------- System.ComponentModel.Win32Exception : The user name or password is incorrect.
        ---- The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture
        Stack Trace:

          ----- Inner Stack Trace #1 (System.Exception) -----
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(171,0): at WindowsTestAccount.CreateUser()
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(125,0): at WindowsTestAccount..ctor(String userName)
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(106,0): at WindowsIdentityFixture..ctor()
          ----- Inner Stack Trace -----

          ----- Inner Stack Trace #2 (Xunit.Sdk.TestClassException) -----

      WindowsIdentityImpersonatedTests.RunImpersonatedAsync_TaskAndTaskOfT [FAIL]
        System.AggregateException : One or more errors occurred. (Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu) (The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture)
        ---- System.Exception : Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu
        -------- System.ComponentModel.Win32Exception : The user name or password is incorrect.
        ---- The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture
        Stack Trace:

          ----- Inner Stack Trace #1 (System.Exception) -----
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(171,0): at WindowsTestAccount.CreateUser()
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(125,0): at WindowsTestAccount..ctor(String userName)
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(106,0): at WindowsIdentityFixture..ctor()
          ----- Inner Stack Trace -----

          ----- Inner Stack Trace #2 (Xunit.Sdk.TestClassException) -----

        System.AggregateException : One or more errors occurred. (Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu) (The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture)
        ---- System.Exception : Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu
      WindowsIdentityImpersonatedTests.RunImpersonatedAsync_NameResolution [FAIL]
        -------- System.ComponentModel.Win32Exception : The user name or password is incorrect.
        ---- The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture
        Stack Trace:

          ----- Inner Stack Trace #1 (System.Exception) -----
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(171,0): at WindowsTestAccount.CreateUser()
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(125,0): at WindowsTestAccount..ctor(String userName)
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(106,0): at WindowsIdentityFixture..ctor()
          ----- Inner Stack Trace -----

          ----- Inner Stack Trace #2 (Xunit.Sdk.TestClassException) -----

      WellKnownSidTypeTests.CanCreateSecurityIdentifierFromWellKnownSidType_Netcoreapp [SKIP]
        Condition(s) not met: "AccountIsDomainJoined"
      WellKnownSidTypeTests.CanCreateSecurityIdentifierFromWellKnownSidType [SKIP]
        Condition(s) not met: "AccountIsDomainJoined"
    Finished:    System.Security.Principal.Windows.Tests
  === TEST EXECUTION SUMMARY ===
     System.Security.Principal.Windows.Tests  Total: 32, Errors: 0, Failed: 3, Skipped: 2, Time: 0.479s
  ----- end Thu 08/26/2021 15:16:56.86 ----- exit code 1 ----------------------------------------------------------
@stephentoub stephentoub added area-System.Security test-bug Problem in test source code (most likely) labels Aug 26, 2021
@stephentoub stephentoub added this to the 7.0.0 milestone Aug 26, 2021
@ghost
Copy link

ghost commented Aug 26, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details 
    Discovering: System.Security.Principal.Windows.Tests (method display = ClassAndMethod, method display options = None)
    Discovered:  System.Security.Principal.Windows.Tests (found 30 test cases)
    Starting:    System.Security.Principal.Windows.Tests (parallel test collections = on, max threads = 12)
      WindowsIdentityImpersonatedTests.RunImpersonated_NameResolution [FAIL]
        System.AggregateException : One or more errors occurred. (Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu) (The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture)
        ---- System.Exception : Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu
        -------- System.ComponentModel.Win32Exception : The user name or password is incorrect.
        ---- The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture
        Stack Trace:

          ----- Inner Stack Trace #1 (System.Exception) -----
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(171,0): at WindowsTestAccount.CreateUser()
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(125,0): at WindowsTestAccount..ctor(String userName)
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(106,0): at WindowsIdentityFixture..ctor()
          ----- Inner Stack Trace -----

          ----- Inner Stack Trace #2 (Xunit.Sdk.TestClassException) -----

      WindowsIdentityImpersonatedTests.RunImpersonatedAsync_TaskAndTaskOfT [FAIL]
        System.AggregateException : One or more errors occurred. (Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu) (The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture)
        ---- System.Exception : Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu
        -------- System.ComponentModel.Win32Exception : The user name or password is incorrect.
        ---- The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture
        Stack Trace:

          ----- Inner Stack Trace #1 (System.Exception) -----
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(171,0): at WindowsTestAccount.CreateUser()
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(125,0): at WindowsTestAccount..ctor(String userName)
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(106,0): at WindowsIdentityFixture..ctor()
          ----- Inner Stack Trace -----

          ----- Inner Stack Trace #2 (Xunit.Sdk.TestClassException) -----

        System.AggregateException : One or more errors occurred. (Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu) (The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture)
        ---- System.Exception : Failed to get SafeAccessTokenHandle for test account CorFxTstWiIde01kiu
      WindowsIdentityImpersonatedTests.RunImpersonatedAsync_NameResolution [FAIL]
        -------- System.ComponentModel.Win32Exception : The user name or password is incorrect.
        ---- The following constructor parameters did not have matching fixture data: WindowsIdentityFixture windowsIdentityFixture
        Stack Trace:

          ----- Inner Stack Trace #1 (System.Exception) -----
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(171,0): at WindowsTestAccount.CreateUser()
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(125,0): at WindowsTestAccount..ctor(String userName)
          D:\repos\runtime\src\libraries\System.Security.Principal.Windows\tests\WindowsIdentityImpersonatedTests.netcoreapp.cs(106,0): at WindowsIdentityFixture..ctor()
          ----- Inner Stack Trace -----

          ----- Inner Stack Trace #2 (Xunit.Sdk.TestClassException) -----

      WellKnownSidTypeTests.CanCreateSecurityIdentifierFromWellKnownSidType_Netcoreapp [SKIP]
        Condition(s) not met: "AccountIsDomainJoined"
      WellKnownSidTypeTests.CanCreateSecurityIdentifierFromWellKnownSidType [SKIP]
        Condition(s) not met: "AccountIsDomainJoined"
    Finished:    System.Security.Principal.Windows.Tests
  === TEST EXECUTION SUMMARY ===
     System.Security.Principal.Windows.Tests  Total: 32, Errors: 0, Failed: 3, Skipped: 2, Time: 0.479s
  ----- end Thu 08/26/2021 15:16:56.86 ----- exit code 1 ----------------------------------------------------------
Author: stephentoub
Assignees: -
Labels:

area-System.Security, test bug
Milestone: 7.0.0

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Aug 26, 2021
@ryank425
Copy link

All of those corresponds exceptions goes to

if (!LogonUser(_userName, ".", testAccountPassword, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, out _accountTokenHandle))
{
    _accountTokenHandle = null;
    throw new Exception($"Failed to get SafeAccessTokenHandle for test account {_userName}", new Win32Exception());
}

And LogonUser ... calls the following function

BOOL LogonUserA(
  LPCSTR  lpszUsername,
  LPCSTR  lpszDomain,
  LPCSTR  lpszPassword,
  DWORD   dwLogonType,
  DWORD   dwLogonProvider,
  PHANDLE phToken
);

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera

The account specified by lpszUsername, must have the necessary account rights. For example, to log on a user with the LOGON32_LOGON_INTERACTIVE flag, the user (or a group to which the user belongs) must have the SE_INTERACTIVE_LOGON_NAME account right. For a list of the account rights that affect the various logon operations, see Account Rights Constants.

So, SeInteractiveLogonRight is required.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-locally

My guess is that the user account that the test is running doesn't have this right.
It might be due to the Best Practices listed on the doc

1. Restrict this user right to legitimate users who must log on to the console of the device.
2. If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization.

@jeffschwMSFT jeffschwMSFT removed the untriaged New issue has not been triaged by the area owner label Aug 27, 2021
@danmoseley
Copy link
Member

@krwq I think we have no protection against tests that require admin, right? as test runs are all run elevated.

@vcsjones
Copy link
Member

Sometimes we guard tests with PlatformDetection.IsWindowsAndElevated (we do this in CNG tests, at least). Perhaps that would be a suitable solution for these outer loop tests.

@danmoseley danmoseley mentioned this issue Dec 30, 2021
Closed
@jeffhandley jeffhandley mentioned this issue Jan 29, 2022
Closed
37 tasks
@jeffhandley jeffhandley modified the milestones: 7.0.0, Future Aug 9, 2022
@vcsjones
Copy link
Member

It looks like this got fixed by #62559. The failing tests are now conditioned on PlatformDetection.CanRunImpersonatedTests which checks to see if we're elevated.

Given that I think this can be closed.

@ghost ghost locked as resolved and limited conversation to collaborators Feb 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Security test-bug Problem in test source code (most likely)
Projects
None yet
Milestone
Future
Development

No branches or pull requests
6 participants
@vcsjones @jeffhandley @stephentoub @danmoseley @jeffschwMSFT @ryank425