New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Authentication not working in Kestrel running in Linux (Ubuntu) #44681
Comments
The log is the source of truth here
HTTP/2 isn't compatible with Kerberos/Integrated/Negotiate auth, nor can it be (Windows/NTLM etc requires each request to be sent one after the other, HTTP/2 parallelizes requests). Your choice here is either limit kestrel to HTTP1.1 or select a different type of auth. |
Thanks @blowdart. I just tried limiting Kesterl to HTTP1.1 but it does not seem to help. This message "Negotiate is not supported with HTTP/2." does not appear anymore but the same authentication issue persists. |
It's normal to receive an initial 401 to start the negotiate login process. The client should follow up with additional requests with credentials. Do you have logs for those requests? |
Hi @velmohan. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time. |
@Tratcher Thank you for the response. I have managed to collect some logs. I wanted to highlight that the Swagger UI that I used in Linux did not respond to 401 responses (at least it did not ask me for credentials) and I do not see any further follow ups. I therefore turned on Kerberos authentication on and tried using curl in Linux. I can see the following response is now sent from the client as a follow up to the 401 response from the server:
It is now consistent because I see this same error from clients in both Windows and Linux:
Does this error therefore mean I do not have the expected SPNs and keytab files configured in my Linux Machine as detailed here: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-6.0&tabs=visual-studio#linux-and-macos-environment-configuration. Having to add these for my developer machine is a bit annoying but I guess that is Kerberos. Is there anyway to get kerberos auth logs from asp.net core application in Linux? Setting KRB5_Trace environment variable to a file or standard output does not seem to work. |
Yes, you do need to setup SPNs even for development. KRB5_Trace should be enough, we're using the OS kerb libraries. |
This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes. See our Issue Management Policies for more information. |
Is there an existing issue for this?
Describe the bug
I am in the process of migrating an Asp.Net application to Asp.Net Core (.NET6). To retain some authentication functionality in the asp.net implementation, I have added the followings in the migrated application. I generally followed this article:
Then I also have
If I run this application in Kestrel in Windows, authentication works fine and I can see
HttpContext.User.Claims
are populated correctly and I am able to get the username using thisvar userIdNameClaim = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name);
Then, if I run this application in Kesterl in Linux (Ubuntu), I see the following behaviours:
Expected Behavior
I would have expected HttpContext.User being populated even when we host the application in Kestrel in Linux.
Steps To Reproduce
Clone repo: https://github.com/velmohan/windows-authentication-test
Host this application in Kestrel in Linux
Call the endpoint
https://[host id address]:[port]/WeatherForecast/useridentiy
from Windows pc and a Linux machine.
Exceptions (if any)
No response
.NET Version
6.0.302
Anything else?
Microsoft.AspNetCore.App 6.0.7
The text was updated successfully, but these errors were encountered: