NTLM support with Kestrel

[tornie2]

We were excited to see that NTLM and Negotiate are now supported in with Kestrel, as described here
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.0&tabs=visual-studio

However we have only been able to make this work with Negotiate, not NTLM.

Basically we have done what is described in the above article.
Added authentication to services:

        services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();

and added Authentication to the pipeline
We also have our own simple check for authorization in the pipeline

        app.UseAuthentication();
        app.UseMiddleware<ValidateAuthentication>();

The ValidateAuthentication middleware is very simple:

internal class ValidateAuthentication : IMiddleware
{
    public async Task InvokeAsync(HttpContext context, RequestDelegate next)
    {
        if (context.User.Identity.IsAuthenticated)
            await next(context);
        else
            await context.ChallengeAsync();
    }
}

When a challenge is sent, we only see Negotiate

   WWW-Authenticate Negotiate

We would have expected NTLM as well. Something like

   WWW-Authenticate Negotiate,NTLM

Why is NTLM not supported by our Kestrel host as well?

The applications is tested on a Windows 10 machine in an enterprise environment using AD as identity system.

[jkotalik]

Not 100% sure, but can you try calling the AddNegotiate overload that takes an auth scheme? https://github.com/aspnet/AspNetCore/blob/master/src/Security/Authentication/Negotiate/src/NegotiateExtensions.cs#L41

And there you can pass in Negotiate,NTLM.

@Tratcher to confirm.

[Tratcher]

@jkotalik no, auth scheme is the internal identifier, not the header.

[Tratcher]

https://github.com/aspnet/AspNetCore/blob/21c9e2cc954c10719878839cd3f766aca5f57b34/src/Security/Authentication/Negotiate/src/NegotiateHandler.cs#L359
The challenge is not configurable for a variety of reasons:

• This first version of the auth handler was focused exclusively on enabling Kerberos auth on Linux (via Negotiate). Anything else that happens to work is a bonus (e.g. Negotiate on Windows works).
• Negotiate includes implicit fallback support for NTLM when required which is adequate for many scenarios.
• NTLM is a very outdated protocol and should only be used as a Negotiate fallback, not directly.

FYI the new UseAuthorization middleware can replace your ValidateAuthentication middleware if you set the fallback policy to require auth.

What client and scenario do you have that requires direct NTLM usage?

[tornie2]

Ok. Thanks @Tratcher

If your support is only for Negotiate, and has only been verified on Linux, then I think your documentation is a little misleading.

I understand from your reply that NTLM support from your side is about to end. We have a task in our organization then to move away from NTLM.

[Tratcher]

only been verified on Linux,

We tested Windows too, but the windows support wasn't new functionality, that was already supported via other code paths.

I understand from your reply that NTLM support from your side is about to end. We have a task in our organization then to move away from NTLM.

NTLM will never go away completely, but you'd do best to avoid it.

[analogrelay]

We don't have plans to add support for NTLM in Kestrel. If this kind of legacy support is necessary for you, there are still servers that support it (IIS and HttpSysServer). We have no plans to bring this legacy forward to Kestrel though.

[tornie2]

@anurse
Perfectly understandable. Of course you need to ditch legacy technologies at some point.

Only I still recommend that you revisit your documentation

This is not correct:

The Microsoft.AspNetCore.Authentication.Negotiate NuGet package can be used with Kestrel to support Windows Authentication using Negotiate, Kerberos, and NTLM on Windows, Linux, and macOS.

[analogrelay]

Only I still recommend that you revisit your documentation

Fair point. NTLM is, I believe, still supported on Windows because the native components we use support it. We should update that to indicate that we don't support NTLM on Linux. (At least that's my understanding, @Tratcher can confirm in the docs PR I'm about to open :))

[Tratcher]

CoreFx recently identified a bug that was preventing NTLM from working via Negotiate on Linux, they'll get that working at some point.

The point at issue here is that NTLM is not directly supported on any platform because you can't make NTLM the auth header challenge, you can only use it as a Negotiate fallback.

[tornie2]

@anurse
What @Tratcher describes is exactly the problem we ran in to. We are using C# HttpClient with NTLM credentials, and it will not respond to a challange with Negotiate only.

My understanding of NTLM, is that it is based on challange / response. I don't see how NTLM could work at all, if there is no challange?