This repository has been archived by the owner on Jan 23, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Use HTTP Host header for Kerberos auth SPN calculation #38465
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -76,32 +76,50 @@ private static async Task<HttpResponseMessage> SendWithNtAuthAsync(HttpRequestMe | |
needDrain = false; | ||
} | ||
|
||
string challengeData = challenge.ChallengeData; | ||
if (NetEventSource.IsEnabled) | ||
{ | ||
NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, Uri: {authUri.AbsoluteUri.ToString()}"); | ||
} | ||
|
||
// Need to use FQDN normalized host so that CNAME's are traversed. | ||
// Use DNS to do the forward lookup to an A (host) record. | ||
// But skip DNS lookup on IP literals. Otherwise, we would end up | ||
// doing an unintended reverse DNS lookup. | ||
string spn; | ||
UriHostNameType hnt = authUri.HostNameType; | ||
if (hnt == UriHostNameType.IPv6 || hnt == UriHostNameType.IPv4) | ||
// Calculate SPN (Service Principal Name) using the host name of the request. | ||
// Use the request's 'Host' header if available. Otherwise, use the request uri. | ||
string hostName; | ||
if (request.HasHeaders && request.Headers.Host != null) | ||
{ | ||
spn = authUri.IdnHost; | ||
// Use the host name without any normalization. | ||
hostName = request.Headers.Host; | ||
if (NetEventSource.IsEnabled) | ||
{ | ||
NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, Host: {hostName}"); | ||
} | ||
} | ||
else | ||
{ | ||
IPHostEntry result = await Dns.GetHostEntryAsync(authUri.IdnHost).ConfigureAwait(false); | ||
spn = result.HostName; | ||
// Need to use FQDN normalized host so that CNAME's are traversed. | ||
// Use DNS to do the forward lookup to an A (host) record. | ||
// But skip DNS lookup on IP literals. Otherwise, we would end up | ||
// doing an unintended reverse DNS lookup. | ||
UriHostNameType hnt = authUri.HostNameType; | ||
if (hnt == UriHostNameType.IPv6 || hnt == UriHostNameType.IPv4) | ||
{ | ||
hostName = authUri.IdnHost; | ||
} | ||
else | ||
{ | ||
IPHostEntry result = await Dns.GetHostEntryAsync(authUri.IdnHost).ConfigureAwait(false); | ||
hostName = result.HostName; | ||
} | ||
} | ||
spn = "HTTP/" + spn; | ||
|
||
string spn = "HTTP/" + hostName; | ||
if (NetEventSource.IsEnabled) | ||
{ | ||
NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, Host: {authUri.IdnHost}, SPN: {spn}"); | ||
NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, SPN: {spn}"); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we just have one NetEventSource.Info call that logs uri, hostname, and spn, rather than three separate ones? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I had separate calls because I was trying to capture the logic of how the SPN was assembled (i.e. host header present or not, DNS resolution, etc.). But you raise a good point that we now have too many separate log entries for this. I'll submit a follow-up PR to try to address this. |
||
} | ||
|
||
ChannelBinding channelBinding = connection.TransportContext?.GetChannelBinding(ChannelBindingKind.Endpoint); | ||
NTAuthentication authContext = new NTAuthentication(isServer:false, challenge.SchemeName, challenge.Credential, spn, ContextFlagsPal.Connection, channelBinding); | ||
string challengeData = challenge.ChallengeData; | ||
try | ||
{ | ||
while (true) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if not FQDN, Kerberos libraries would fall back to default domain? (or fail)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not necessarily. In general a short name could be part of an SPN definition. On Windows we frequently see multiple SPNs registered such as "HTTP/myhost" and "HTTP/myhost.contoso.com".
Linux Kerberos is more complicated because it uses the KRB5.CONF file. And at the OS Linux layer there is additional transformation including another FQDN (and possible reverse IP) pass.
Right now, this PR is trying to get us closer to .NET Framework behavior at least on the managed layer. The additional issues I referenced above are about making this even better with more granular control down through the OS layer. That is future work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for explanation.