Update Client Authentication EKU Removal Impact Guide and SFE Desktop App Documentation#325
Draft
jagilber wants to merge 6 commits intoAzure:masterfrom
Draft
Update Client Authentication EKU Removal Impact Guide and SFE Desktop App Documentation#325jagilber wants to merge 6 commits intoAzure:masterfrom
jagilber wants to merge 6 commits intoAzure:masterfrom
Conversation
…f, remove internal source refs
…, update DigiCert deadline to March 2027, update Chrome Root Program URL
- PowerShell 7.4+ on .NET 8+ uses SocketsHttpHandler internally for Invoke-WebRequest/Invoke-RestMethod, bypassing SChannel EKU filtering. Both IWR and IRM work with server-only EKU certs on PS 7.5.4/.NET 9.0.10. Verified in same-process test: HttpClientHandler returns 403 while Invoke-RestMethod returns 200, proving different code paths. - Updated compatibility matrix, impact lists, key findings, and platform-specific behavior sections to reflect PS7/.NET 8+ behavior. - Added SChannel TLS session caching warning - OS-level cache in lsass.exe can cause false positives across processes. - Fixed Chrome Root Program link (404 -> working URL). - Fixed sf-client-eku-test.csx ServerCertValidation callback that compared server cert thumbprint to client cert thumbprint, causing all tests to fail when client cert differs from server cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…is the single test script Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Feature/eku deep validation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update Client Authentication EKU Removal Impact Guide and SFE Desktop App Documentation
Summary
Documents the impact of public certificate authorities (Microsoft, DigiCert) removing the Client Authentication EKU (OID: 1.3.6.1.5.5.7.3.2) from public TLS certificates on Service Fabric clusters. Also adds documentation for using Service Fabric Explorer (SFE) desktop application as a workaround.
What Changed
Problem description and timeline (Microsoft: Sep-Nov 2025, DigiCert: ends May 2026)
What works (TCP-based connections on port 19000) vs. what is impacted (HTTP-based connections on port 19080)
SF server-side EKU behavior (SF does not check EKU - the issue is client-side SChannel filtering)
Managed Identity Token Service (MITS) impact and workarounds
Azure API Management (APIM) backend connectivity impact
Recommended mitigations (private PKI certificates, .NET 8+ workarounds, SFE desktop app)
Certificate troubleshooting guidance with screenshots
service-fabric-explorer-desktop-app.md - Guide for the SFE desktop application:
Installation and connection setup
Cluster management features
Comparison with browser-based SFX
New Script:
sf-client-eku-test.csx - C# script to test client certificate EKU behavior and validate SChannel certificate selection
New Media:
Certificate detail screenshots (EKU, subject, certification path, stores)
SFE desktop app screenshots (cluster overview, node views, service/partition/replica management)
Why
Public CAs (Microsoft, DigiCert) are standardizing TLS certificates to Server Authentication EKU only, per Chrome Root Program policy and CA/Browser Forum requirements. This breaks client certificate authentication for Service Fabric clusters that rely on Windows SChannel (browsers, .NET HttpClientHandler, APIM). This documentation helps customers understand the impact and available workarounds.