This repository has been archived by the owner on Jan 23, 2023. It is now read-only.
Use HTTP Host header for Kerberos auth SPN calculation #38465
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixed SocketsHttpHandler so that it will use the request's Host header, if present, as part of building the Service Principal Name (SPN) when doing Kerberos authentication. This now matches .NET Framework behavior. Contributes to #34697 and #27745
davidsh
added
tenet-compatibility
|
/azp run |
|
Azure Pipelines successfully started running 4 pipeline(s). |
wfurt
reviewed
Jun 11, 2019
| { | ||
| spn = authUri.IdnHost; | ||
| // Use the host name without any normalization. |
There was a problem hiding this comment.
if not FQDN, Kerberos libraries would fall back to default domain? (or fail)
There was a problem hiding this comment.
Not necessarily. In general a short name could be part of an SPN definition. On Windows we frequently see multiple SPNs registered such as "HTTP/myhost" and "HTTP/myhost.contoso.com".
Linux Kerberos is more complicated because it uses the KRB5.CONF file. And at the OS Linux layer there is additional transformation including another FQDN (and possible reverse IP) pass.
Right now, this PR is trying to get us closer to .NET Framework behavior at least on the managed layer. The additional issues I referenced above are about making this even better with more granular control down through the OS layer. That is future work.
stephentoub
reviewed
Jun 12, 2019
| if (NetEventSource.IsEnabled) | ||
| { | ||
| NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, Host: {authUri.IdnHost}, SPN: {spn}"); | ||
| NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, SPN: {spn}"); |
There was a problem hiding this comment.
Could we just have one NetEventSource.Info call that logs uri, hostname, and spn, rather than three separate ones?
There was a problem hiding this comment.
I had separate calls because I was trying to capture the logic of how the SPN was assembled (i.e. host header present or not, DNS resolution, etc.). But you raise a good point that we now have too many separate log entries for this.
I'll submit a follow-up PR to try to address this.
|
I guess the "v3.0.0-preview6" tag is bogus, because this change is not in the official preview 6 builds 😢 |
I'm not sure what tag you are referring to. I don't see that tag on this issue. This fix should be in the Preview 7 which should be released this month. |
|
I was referring to the git repo tag. That git repo tag is not in sync with the actual build. Probably "v3.0.0-preview6.19303.8" is the real one. Anyway, I downloaded the latest daily SDK build and tested. This change works as advertised. Thanks david. |
davidsh
added a commit
to davidsh/corefx
that referenced
this pull request
Jul 31, 2019
Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR dotnet#38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes #39887
davidsh
added a commit
that referenced
this pull request
Aug 1, 2019
Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR #38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes #39887
davidsh
added a commit
to davidsh/corefx
that referenced
this pull request
Aug 2, 2019
Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR dotnet#38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes #39887
wtgodbe
pushed a commit
that referenced
this pull request
Aug 5, 2019
…9981) Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR #38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes #39887
davidsh
pushed a commit
to davidsh/corefx
that referenced
this pull request
Aug 7, 2019
This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS branch. These fixes help enterprise customers that have complex Kerberos authentication scenarios that involve cross Windows (Active Directory) and Linux (Kerberos) domains/realms. These fixes are from PRs: * dotnet#38465 - Use 'Host' header when calculating SPN for Kerberos auth * dotnet#38377 - Use GSS_C_NT_HOSTBASED_SERVICE format for Linux Kerberos SPN and are related to issue dotnet#36329.
danmoseley
pushed a commit
that referenced
this pull request
Aug 8, 2019
This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS branch. These fixes help enterprise customers that have complex Kerberos authentication scenarios that involve cross Windows (Active Directory) and Linux (Kerberos) domains/realms. These fixes are from PRs: * #38465 - Use 'Host' header when calculating SPN for Kerberos auth * #38377 - Use GSS_C_NT_HOSTBASED_SERVICE format for Linux Kerberos SPN and are related to issue #36329.
wtgodbe
pushed a commit
that referenced
this pull request
Aug 8, 2019
* Update BuildTools to rc1-04230-01 * Port Kerberos auth fixes to 2.1 branch (#40109) This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS branch. These fixes help enterprise customers that have complex Kerberos authentication scenarios that involve cross Windows (Active Directory) and Linux (Kerberos) domains/realms. These fixes are from PRs: * #38465 - Use 'Host' header when calculating SPN for Kerberos auth * #38377 - Use GSS_C_NT_HOSTBASED_SERVICE format for Linux Kerberos SPN and are related to issue #36329.
picenka21
pushed a commit
to picenka21/runtime
that referenced
this pull request
Feb 18, 2022
…#38465) Fixed SocketsHttpHandler so that it will use the request's Host header, if present, as part of building the Service Principal Name (SPN) when doing Kerberos authentication. This now matches .NET Framework behavior. Contributes to dotnet/corefx#34697 and dotnet/corefx#27745 Commit migrated from dotnet/corefx@6cb8546
picenka21
pushed a commit
to picenka21/runtime
that referenced
this pull request
Feb 18, 2022
…fx#39933) Issue dotnet/corefx#39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR dotnet/corefx#38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes dotnet/corefx#39887 Commit migrated from dotnet/corefx@85f30cc
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixed SocketsHttpHandler so that it will use the request's Host header,
if present, as part of building the Service Principal Name (SPN) when
doing Kerberos authentication. This now matches .NET Framework behavior.
Contributes to #34697 and #27745