[Epic] Kerberos Authentication in ASP.NET Core

[analogrelay]

We want to support Kerberos Authentication in ASP.NET Core.

For 3.0, we are targetting the following supported environments as a minimum viable product (MVP):

• ASP.NET Core Server Platform: Linux (including containers) (we'll try to avoid doing anything to prevent it from working on Windows/macOS, it just won't be the testing focus)
• Domain Controller type: Active Directory, running on a Windows OS in the .NET Core
  support matrix (Windows Server 2008 R2 or higher)
• Client: Domain-joined Windows Machines using IE11 and Edge. Other "evergreen" browsers (Chrome, Firefox) as long as they support Kerberos auth.

MVP Features

• Challenge for a Kerberos ticket
• Decode the ticket into an Identity that includes a user identifier of some kind
• (Depending on the feasibility) Including group information in the Identity?
• Support for offline ticket processing via a key table (keytab)

Not in the MVP:

• NTLM is not a priority in the MVP, but we think it may come pretty cheap once Kerberos is up and running.
• Allowing the server to call other services using the Kerberos identity provided by the client (i.e. SQL)
• Allowing non-Windows servers to authenticate with Windows AD-protected resources via a service account
• Unification with WindowsIdentity
• Support for Domain Controllers/Server platforms other than those listed above (though we believe others may come "for free", we just won't be committing to testing those)
• Support for Kubernetes gMSA is for Windows containers, and since the MVP focuses on Linux, Kubernetes gMSA isn't part of the MVP. We won't do anything to prevent Windows usage if possible though.

Other server platforms, DCs, clients, etc. may well come for free, but I want to set a really clear bar for what we are going to be committed to achieving in 3.0. We can always iterate on this in future releases.

Child Items:

• https://github.com/dotnet/corefx/issues/8221 CoreFX Linux Server Kerberos implementation
• https://github.com/dotnet/corefx/issues/36896 CoreFX Negotiate API Postponed
• Add IConnectionCompleteFeature.OnCompleted #9754 Server connection state (also Consider exposing Bedrock's "Connection Features" on HttpContext #9213)
• xplat Integrated Windows Authentication (ntlm/Kerberos) #4662 Auth middleware
• Docs for new Negotiate auth handler AspNetCore.Docs#12420 Docs
• CTI test script Cut from 3.0

[analogrelay]

cc @Tratcher

[analogrelay]

FYI @blowdart - Updated to include MVP (and non-MVP) scenarios.

[ThatRendle]

Super-happy to see this getting some love. It's going to be a huge unblocker where I'm working at the moment.

[analogrelay]

@markrendle Please let us know if the MVP (described above) is sufficient for your scenarios! If there are gaps, we'd like to at least track them (though we can't commit to much, if anything, beyond the MVP in 3.0)

[csturm83]

Am I understanding the MVP correctly, that Kerberos Constrained Delegation in Kestrel running on Linux will not be supported initially?

My enterprise scenario is a .NET Core web application running in a Linux container which needs to delegate Windows credentials (using Kerberos) to a web service hosted on a Linux machine (assuming appropriate keytabs/SPNs configured).

If this scenario will not be supported by the MVP, does anyone know of an alternative way to implement this today? I had 2 (maybe unrealistic) ideas:

1. Is it possible to reverse proxy NGINX or Apache to Kestrel inside of a Linux container using their respective Kerberos modules to delegate the credentials? I.e. would a WindowsIdentity.RunImpersonated call (or similar) work in such a configuration? The fact that it's WindowsIdentity would lead me to believe no.
   (IE) -> (NGINX/Kestrel/.NET Core app in Linux Container) -> (web service)

2. Is it possible to reverse proxy IIS externally to Kestrel inside of a Linux container, delegating credentials using WindowsIdentity.RunImpersonated.
   (IE) -> (IIS) -> (Kestrel/.NET Core app in Linux Container) -> (web service)

Reading the third bullet in this comment gives me the feeling that neither of these approaches will work.

@Tratcher @Drawaes

[blowdart]

Given that Kerberos Constrained Delegation is a Windows Server feature, rather than a Kerberos feature, you're correct, this isn't going to be supported initially, if at all.

Unblocking "Windows authentication" to a web app hosted on linux is the goal for the MVP.

[csturm83]

Thank you @blowdart for your quick response!

Given that Kerberos Constrained Delegation is a Windows Server feature, rather than a Kerberos feature,

The way I understand it, constrained delegation is a Kerberos protocol extension (S4U2Proxy) that Microsoft invented (may have started out as a Windows Server feature as you suggest). I believe the MIT Kerberos implementation currently supports the S4U protocol extensions.

Likely not a compelling enough reason to change the MVP (which I believe is a big step in the right direction!). I would just suggest/request that the S4U extensions are a feature I believe are worth pursuing in future iterations, if not the MVP.

I'm not entirely sure, but it sounded like some folks chiming in on AspNetCore Issue #4662 had use cases similar to mine (although I believe delegating to SQL).

[blowdart]

Yea, we're treating this as a starting point to unblock what is most requested. After that, well, we'll think about additions based on customer demand,