HttpClient UseDefaultCredentials Get with kerberos auth server sends NTLM

[NathanielACollier]

Description

With netcoreapp3.1 the following code will send Kerberos to the web server. Switching the application to .net 5.0 causes NTLM to be sent. The web server is a IBM i Apache, with kerberos configured. The server does not have NTLM, so the code fails.

Configuration

Running .net 5.0 on a Windows 10 machine
Connecting to an IBM i Apache Web server with kerberos enabled

Regression?

This code works if you switch the project to build netcoreapp3.1 and it fails if you switch it to .net 5.0

Other information

Here is the code that fails

        static async Task Main(string[] args)
        {
            var url = "https://myIBMi.myDomain.com/api.php?task=getUser";

            var http = new System.Net.Http.HttpClient(new HttpClientHandler()
            {
                UseDefaultCredentials = true
            });

            var result = await http.GetAsync(url);
            string responseText = await result.Content.ReadAsStringAsync();
            
            Console.WriteLine(responseText);
        }
    }

netcoreapp3.1 calling the code

• Using fiddler I've captured the raw request and response
• Initial Request

GET https://myIBMi.myDomain.com/api.php?task=getUser
HTTP/1.1
Host: myIBMi.myDomain.com:451

• Initial Response

HTTP/1.1 401 Unauthorized
Date: Thu, 22 Apr 2021 17:58:09 GMT
Server: Apache
WWW-Authenticate: Negotiate
Content-Length: 205
Connection: close
Content-Type: text/html; charset=UTF-8
Proxy-Support: Session-Based-Authentication

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>401 Authorization Required</TITLE>
</HEAD><BODY>
<H1>Authorization Required</H1>
Unauthorized - authentication failed.
</body></html>

• Request to the unauthorized response
  • I abreviated the kerberos ticket information below

GET https://myIBMi.myDomain.com/api.php?task=getUser
HTTP/1.1
Host: myIBMi.myDomain.com:451
Authorization: Negotiate YIII8gYGKwYBB....

• Then the response is a success. Not sure it's important to show that part.

change the project to .net 5.0

• Initial Request

GET https://myIBMi.myDomain.com/api.php?task=getUser
HTTP/1.1
Host: myIBMi.myDomain.com:451

• Initial Response

HTTP/1.1 401 Unauthorized
Date: Thu, 22 Apr 2021 18:10:57 GMT
Server: Apache
WWW-Authenticate: Negotiate
Content-Length: 205
Connection: close
Content-Type: text/html; charset=UTF-8
Proxy-Support: Session-Based-Authentication

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>401 Authorization Required</TITLE>
</HEAD><BODY>
<H1>Authorization Required</H1>
Unauthorized - authentication failed.
</body></html>

• Request to respond to initial response
  • I have edited it to not show the full ntlm value

GET https://myIBMi.myDomain.com/api.php?task=getUser 
HTTP/1.1
Host: myIBMi.myDomain.com:451
Authorization: Negotiate TlRMTVNTUA....

[xqrzd]

I've also had this same problem with .NET 5. HttpClient Kerberos authentication works for IIS sites, but fails for PrestoDB and WebHDFS. Both work in .NET Core 3.1.

[mrducnguyen]

I'm having the same problem I think. Our application is a console application.

Configuration

• Client: Console application consuming REST API using HttpClient
• Server: Objective Application Server 10.5.4.3

Regression

• Working on .netcoreapp3.1
• Failing on .net5.0 (authentication failed)

The Project I'm working on is consuming REST API from Objective ECM system. It's been working using default credential authentication on .Net Core 3.1

When I changed the project to target .Net 5.0, the authentication failed.

Below is the details request/response headers (using Fiddler to capture them)

Targeting .netcoreapp3.1

Initial request

GET https://aaaa/api/resources/folders/fA702245 HTTP/1.1
Host: aaaa
Accept: application/json, */*

Initial response

HTTP/1.1 401 Unauthorized
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: JSESSIONID=aaaa; path=/api; secure; HttpOnly
Server: Objective Application Server 10.5.4.3(84468)
Pragma: no-cache
Date: Mon, 26 Apr 2021 01:46:33 GMT
Connection: keep-alive
WWW-Authenticate: Negotiate
Strict-Transport-Security: max-age=300; includeSubDomains
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 71
Proxy-Support: Session-Based-Authentication

Subsequence request

GET https://aaaa/api/resources/folders/fA702245 HTTP/1.1
Host: aaaa
Accept: application/json, */*
Authorization: Negotiate YIIHPAYGKw...
Cookie: JSESSIONID=aaaa

Subsequence response

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
Server: Objective Application Server 10.5.4.3(84468)
Date: Mon, 26 Apr 2021 01:46:33 GMT
Connection: keep-alive

Targeting .net5.0

Initial request

GET https://aaaa/api/resources/folders/fA702245 HTTP/1.1
Host: aaaa
Accept: application/json, */*

Initial response

HTTP/1.1 401 Unauthorized
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: JSESSIONID=aaaa; path=/api; secure; HttpOnly
Server: Objective Application Server 10.5.4.3(84468)
Pragma: no-cache
Date: Mon, 26 Apr 2021 01:46:33 GMT
Connection: keep-alive
WWW-Authenticate: Negotiate
Strict-Transport-Security: max-age=300; includeSubDomains
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 71
Proxy-Support: Session-Based-Authentication

Subsequence request

GET https://aaaa/api/resources/folders/fA702245 HTTP/1.1
Host: aaaa
Accept: application/json, */*
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKADk4AAAADw==
Cookie: JSESSIONID=aaaa

Subsequence response

HTTP/1.1 401 Unauthorized
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
Server: Objective Application Server 10.5.4.3(84468)
Pragma: no-cache
Date: Mon, 26 Apr 2021 01:47:11 GMT
Connection: keep-alive
WWW-Authenticate: Negotiate
Strict-Transport-Security: max-age=300; includeSubDomains
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 71
Proxy-Support: Session-Based-Authentication

I did a lot of searching and it seems like HttpClient was trying to do the handshaking with the server, using NTLMSSP and looked like the server didn't support that.

Is there any workaround in this situation? As we have absolutely no control on the server side to change anything...

The piece of codes to setup HttpClient is very simple

            var handler = new HttpClientHandler() {
                UseDefaultCredentials = true,
                // below is for Fiddler capture
                // UseProxy = true,
                // Proxy = new WebProxy("http://127.0.0.1:8888", false)
            };

            _httpClient = new HttpClient(handler);

            _httpClient.DefaultRequestHeaders.Accept
                .Add(new MediaTypeWithQualityHeaderValue("application/json"));
            _httpClient.DefaultRequestHeaders.Accept
                .Add(new MediaTypeWithQualityHeaderValue("*/*"));

[danmoseley]

@wfurt

[wfurt]

can you check what SPN is used? This would happen when there is SPN mismatch. The decision really comes from GSSAPI. Some of the example above suggest you have non standard port? Host: myIBMi.myDomain.com:451 ? Make sure you have proper SPN for that.

The other part to check would be DNS name. Is your myIBMi.myDomain.com A record or is it CNAME pointing to some other name?

[mrducnguyen]

can you check what SPN is used? This would happen when there is SPN mismatch. The decision really comes from GSSAPI. Some of the example above suggest you have non standard port? Host: myIBMi.myDomain.com:451 ? Make sure you have proper SPN for that.

The other part to check would be DNS name. Is your myIBMi.myDomain.com A record or is it CNAME pointing to some other name?

The host and port of the server I'm accessing is definitely not standard. Full URL looks like this: https://edrms-pre:8443/api/resources

Dummy question, how to check for what SPN is used? Is there any where I can read more on how Authentication is decided by HttpClient when UseDefaultCredentials is set to true? Thanks in advance!

Also, I'm curious why is there a completely different (breaking) behaviour moving to .Net Core 5.0? Is that because .Net Core 5.0 enforcing better standards?

[wfurt]

I think you may start with checking the configured SPNs: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)
setspn -l edrms-pre

To answer the second part: I think this is related to #36644. 3.1 was always wrong not using port and that was fixed in 5.0 to match .NET Framework. That may show up as breaking change in 5.0 if the SPN was not setup properly.

I don't know if this is also answer for original issue posted bu @NathanielACollier but I think it will impact your case @mrducnguyen.

If this is the root cause it should be easy to fix by adding port specific SPN to your domain.

[NathanielACollier]

I think you may start with checking the configured SPNs: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)
setspn -l edrms-pre

To answer the second part: I think this is related to #36644. 3.1 was always wrong not using port and that was fixed in 5.0 to match .NET Framework. That may show up as breaking change in 5.0 if the SPN was not setup properly.

I don't know if this is also answer for original issue posted bu @NathanielACollier but I think it will impact your case @mrducnguyen.

If this is the root cause it should be easy to fix by adding port specific SPN to your domain.

It is the case that we also have a non standard port 8452 and 8251 that we use for https.

We don't have experience with SPN, and have had trouble with that, and can't justify setting them. We are going to figure out a work around with curl. Curl is still able to make the kerberos calls, and there is a CurlThin library that works really well so we are going to use it to make http calls when the SPNs aren't correct.

[NathanielACollier]

We got a curl httpclient thrown together, and it works, but people did decide we should engage a consultant to figure out the SPN. I'm going to write back once we've got a consultant to setup the SPNs with those ports.

[mrducnguyen]

Thanks @wfurt for your explanation :)

In our case, the IT infrastructure is completely outsourced to a 3rd party. We'll need to submit a request to add the SPN with port number. It might take days before it is executed. It might need to go through a couple rounds of meetings and discussions. I'll probably need to answer a couple questions before it could be done: Why do I need to upgrade to .Net 5.0 (can't just say I love new technology...)? Can thing just work as it is without any changing?... etc (sadly, that's the enterprise world I'm dealing with)

[wfurt]

Sorry for the troubles @mrducnguyen, I understand. Not that it would change much for you but I'll check if we can document this is breaking change.
I was thinking about this for a while (and few other cases) when it may be useful to probe SPN and fall-back if the matching SPN is not found. In that case we can try to right SPN with port and possibly fall-back to SPN without it like we used to do (and as curl does) But that code does not exist and it is unlikely IMHO we would get permissions for servicing 5.0.

[iSazonov]

The KB908209 article was removed but there are references in Internet like https://cloudblogs.microsoft.com/dynamics365/no-audience/2011/02/11/kerberos-authentication-does-not-work-when-enterprise-portal-uses-a-non-standard-port/
It seems it says current .Net behavior is correct and a fallback would be wrong. It seems that the target service itself should determine how it accepts authentication.