-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Use HTTP Host header for Kerberos auth SPN calculation #38465
Conversation
Fixed SocketsHttpHandler so that it will use the request's Host header, if present, as part of building the Service Principal Name (SPN) when doing Kerberos authentication. This now matches .NET Framework behavior. Contributes to #34697 and #27745
/azp run |
Azure Pipelines successfully started running 4 pipeline(s). |
{ | ||
spn = authUri.IdnHost; | ||
// Use the host name without any normalization. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if not FQDN, Kerberos libraries would fall back to default domain? (or fail)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not necessarily. In general a short name could be part of an SPN definition. On Windows we frequently see multiple SPNs registered such as "HTTP/myhost" and "HTTP/myhost.contoso.com".
Linux Kerberos is more complicated because it uses the KRB5.CONF file. And at the OS Linux layer there is additional transformation including another FQDN (and possible reverse IP) pass.
Right now, this PR is trying to get us closer to .NET Framework behavior at least on the managed layer. The additional issues I referenced above are about making this even better with more granular control down through the OS layer. That is future work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for explanation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
if (NetEventSource.IsEnabled) | ||
{ | ||
NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, Host: {authUri.IdnHost}, SPN: {spn}"); | ||
NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, SPN: {spn}"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we just have one NetEventSource.Info call that logs uri, hostname, and spn, rather than three separate ones?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had separate calls because I was trying to capture the logic of how the SPN was assembled (i.e. host header present or not, DNS resolution, etc.). But you raise a good point that we now have too many separate log entries for this.
I'll submit a follow-up PR to try to address this.
I guess the "v3.0.0-preview6" tag is bogus, because this change is not in the official preview 6 builds 😢 |
I'm not sure what tag you are referring to. I don't see that tag on this issue. This fix should be in the Preview 7 which should be released this month. |
I was referring to the git repo tag. That git repo tag is not in sync with the actual build. Probably "v3.0.0-preview6.19303.8" is the real one. Anyway, I downloaded the latest daily SDK build and tested. This change works as advertised. Thanks david. |
Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR dotnet#38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes #39887
Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR #38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes #39887
Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR dotnet#38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes #39887
…9981) Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR #38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes #39887
This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS branch. These fixes help enterprise customers that have complex Kerberos authentication scenarios that involve cross Windows (Active Directory) and Linux (Kerberos) domains/realms. These fixes are from PRs: * dotnet#38465 - Use 'Host' header when calculating SPN for Kerberos auth * dotnet#38377 - Use GSS_C_NT_HOSTBASED_SERVICE format for Linux Kerberos SPN and are related to issue dotnet#36329.
This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS branch. These fixes help enterprise customers that have complex Kerberos authentication scenarios that involve cross Windows (Active Directory) and Linux (Kerberos) domains/realms. These fixes are from PRs: * #38465 - Use 'Host' header when calculating SPN for Kerberos auth * #38377 - Use GSS_C_NT_HOSTBASED_SERVICE format for Linux Kerberos SPN and are related to issue #36329.
* Update BuildTools to rc1-04230-01 * Port Kerberos auth fixes to 2.1 branch (#40109) This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS branch. These fixes help enterprise customers that have complex Kerberos authentication scenarios that involve cross Windows (Active Directory) and Linux (Kerberos) domains/realms. These fixes are from PRs: * #38465 - Use 'Host' header when calculating SPN for Kerberos auth * #38377 - Use GSS_C_NT_HOSTBASED_SERVICE format for Linux Kerberos SPN and are related to issue #36329.
…#38465) Fixed SocketsHttpHandler so that it will use the request's Host header, if present, as part of building the Service Principal Name (SPN) when doing Kerberos authentication. This now matches .NET Framework behavior. Contributes to dotnet/corefx#34697 and dotnet/corefx#27745 Commit migrated from dotnet/corefx@6cb8546
…fx#39933) Issue dotnet/corefx#39887 reported that proxy authentication with 'Negotiate' scheme broke between .NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM, it should always use SPNEGO if possible. And many enterprises have a setting which requires it and rejects NTLM protocol. This issue was caused by PR dotnet/corefx#38465 which fixed some other SPN issues with Kerberos authentication. That PR regressed the SPN calculation for the proxy authentication by using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used instead of SPNEGO. The fix is to check if proxy authentication is being used instead of server authentication. If so, it ignores any 'Host' header and always will use the uri, which in this case is the uri of the proxy server. This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in CI because they require machine configuration to register SPNs in a Windows Active Directory environment. This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline enterprise scenario. Fixes dotnet/corefx#39887 Commit migrated from dotnet/corefx@85f30cc
Fixed SocketsHttpHandler so that it will use the request's Host header,
if present, as part of building the Service Principal Name (SPN) when
doing Kerberos authentication. This now matches .NET Framework behavior.
Contributes to #34697 and #27745