Windows Authentication not working in Kestrel running in Linux (Ubuntu)

[velmohan]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I am in the process of migrating an Asp.Net application to Asp.Net Core (.NET6). To retain some authentication functionality in the asp.net implementation, I have added the followings in the migrated application. I generally followed this article:

builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
   .AddNegotiate();

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
});

Then I also have

app.UseAuthentication();
app.UseAuthorization();

If I run this application in Kestrel in Windows, authentication works fine and I can see HttpContext.User.Claims are populated correctly and I am able to get the username using this

var userIdNameClaim = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name);

Then, if I run this application in Kesterl in Linux (Ubuntu), I see the following behaviours:

1. Calling the endpoints in the same Linux machine, causes the 401 error. See the logs;

 Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler[12]
      Negotiate is not supported with HTTP/2.
dbug: Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler[9]
      AuthenticationScheme: Negotiate was not authenticated.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed. These requirements were not met:
      DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
dbug: Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler[6]
      Challenged 401 Negotiate.
info: Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler[12]
      AuthenticationScheme: Negotiate was challenged.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:50004/WeatherForecast/useridentity - - - 401 0 - 141.7712ms

3. Calling the endpoints from a Windows machine, causes the following error.

An unhandled exception has occurred while executing the request.
      Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Keytab FILE:/etc/krb5.keytab is nonexistent or empty).
         at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
         at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
         at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
         at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Expected Behavior

I would have expected HttpContext.User being populated even when we host the application in Kestrel in Linux.

Steps To Reproduce

Clone repo: https://github.com/velmohan/windows-authentication-test
Host this application in Kestrel in Linux

Call the endpoint
https://[host id address]:[port]/WeatherForecast/useridentiy

from Windows pc and a Linux machine.

Exceptions (if any)

No response

.NET Version

6.0.302

Anything else?

Microsoft.AspNetCore.App 6.0.7

[blowdart]

The log is the source of truth here

 Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler[12]
      Negotiate is not supported with HTTP/2.

HTTP/2 isn't compatible with Kerberos/Integrated/Negotiate auth, nor can it be (Windows/NTLM etc requires each request to be sent one after the other, HTTP/2 parallelizes requests).

Your choice here is either limit kestrel to HTTP1.1 or select a different type of auth.

[velmohan]

Thanks @blowdart. I just tried limiting Kesterl to HTTP1.1 but it does not seem to help. This message "Negotiate is not supported with HTTP/2." does not appear anymore but the same authentication issue persists.

[Tratcher]

It's normal to receive an initial 401 to start the negotiate login process. The client should follow up with additional requests with credentials. Do you have logs for those requests?

[ghost]

Hi @velmohan. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[velmohan]

@Tratcher Thank you for the response. I have managed to collect some logs.

I wanted to highlight that the Swagger UI that I used in Linux did not respond to 401 responses (at least it did not ask me for credentials) and I do not see any further follow ups. I therefore turned on Kerberos authentication on and tried using curl in Linux. I can see the following response is now sent from the client as a follow up to the 401 response from the server:

GET /WeatherForecast/useridentiy HTTP/1.1
Host: localhost:[portno]
Authorization: Negotiate redacted*

It is now consistent because I see this same error from clients in both Windows and Linux:

Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure.  Minor code may provide more information (Keytab FILE:/etc/krb5.keytab is nonexistent or empty).
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Does this error therefore mean I do not have the expected SPNs and keytab files configured in my Linux Machine as detailed here: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-6.0&tabs=visual-studio#linux-and-macos-environment-configuration. Having to add these for my developer machine is a bit annoying but I guess that is Kerberos.

Is there anyway to get kerberos auth logs from asp.net core application in Linux? Setting KRB5_Trace environment variable to a file or standard output does not seem to work.

[Tratcher]

Yes, you do need to setup SPNs even for development. KRB5_Trace should be enough, we're using the OS kerb libraries.

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.