fallback

BrennanConroy · BrennanConroy · commit 94a9634080e7 · 2025-03-18T16:06:12.000-07:00
diff --git a/src/Servers/IIS/AspNetCoreModuleV2/InProcessRequestHandler/managedexports.cpp b/src/Servers/IIS/AspNetCoreModuleV2/InProcessRequestHandler/managedexports.cpp
@@ -516,7 +516,13 @@ http_get_authentication_information(
 )
 {
     *pstrAuthType = SysAllocString(pInProcessHandler->QueryHttpContext()->GetUser()->GetAuthenticationType());
-    *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetImpersonationToken();
+    // prefer GetPrimaryToken over GetImpersonationToken as that's what we've been using since before .NET 10
+    // we'll fallback to GetImpersonationToken if GetPrimaryToken is not available
+    *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetPrimaryToken();
+    if (*pvToken == nullptr)
+    {
+        *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetImpersonationToken();
+    }
 
     return S_OK;
 }
diff --git a/src/Servers/IIS/AspNetCoreModuleV2/OutOfProcessRequestHandler/forwardinghandler.cpp b/src/Servers/IIS/AspNetCoreModuleV2/OutOfProcessRequestHandler/forwardinghandler.cpp
@@ -819,12 +819,20 @@ FORWARDING_HANDLER::GetHeaders(
         (_wcsicmp(m_pW3Context->GetUser()->GetAuthenticationType(), L"negotiate") == 0 ||
             _wcsicmp(m_pW3Context->GetUser()->GetAuthenticationType(), L"ntlm") == 0))
     {
-        HANDLE impersonationToken = m_pW3Context->GetUser()->GetImpersonationToken();
-        if (impersonationToken != nullptr &&
-            impersonationToken != INVALID_HANDLE_VALUE)
+        // prefer GetPrimaryToken over GetImpersonationToken as that's what we've been using since before .NET 10
+        // we'll fallback to GetImpersonationToken if GetPrimaryToken is not available
+        HANDLE authToken = m_pW3Context->GetUser()->GetPrimaryToken();
+        if (authToken == nullptr ||
+            authToken == INVALID_HANDLE_VALUE)
+        {
+            authToken = m_pW3Context->GetUser()->GetImpersonationToken();
+        }
+
+        if (authToken != nullptr &&
+            authToken != INVALID_HANDLE_VALUE)
         {
             HANDLE hTargetTokenHandle = nullptr;
-            RETURN_IF_FAILED(pServerProcess->SetWindowsAuthToken(impersonationToken,
+            RETURN_IF_FAILED(pServerProcess->SetWindowsAuthToken(authToken,
                 &hTargetTokenHandle));
 
             //

Original file line number	Diff line number	Diff line change
`@@ -516,7 +516,13 @@ http_get_authentication_information(`
`516`	`516`	`)`
`517`	`517`	`{`
`518`	`518`	`*pstrAuthType = SysAllocString(pInProcessHandler->QueryHttpContext()->GetUser()->GetAuthenticationType());`
`519`		`- *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetImpersonationToken();`
	`519`	`+ // prefer GetPrimaryToken over GetImpersonationToken as that's what we've been using since before .NET 10`
	`520`	`+ // we'll fallback to GetImpersonationToken if GetPrimaryToken is not available`
	`521`	`+ *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetPrimaryToken();`
	`522`	`+ if (*pvToken == nullptr)`
	`523`	`+ {`
	`524`	`+ *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetImpersonationToken();`
	`525`	`+ }`
`520`	`526`
`521`	`527`	`return S_OK;`
`522`	`528`	`}`