NegotiateStream.Write interop issues on Linux/OSX

[vijaykota]

There are some combinations of Kerberos/NTLM, SignOnly/EncryptAndSign etc. that cause the gss_wrap call on Unix client to fail against a Windows server using NegotiateStream. This issue is for tracking the foll. failing combinations of credentials and protection level passed in AuthenticateAsClientAsync

On Linux:

Kerberos creds with Sign: Server complains that signature is valid but contents not encrypted
NTLM creds with EncrypAndSign: Server rejects signature
NTLM creds with Sign: Server rejects signature

On OSX:

Kerberos creds with Sign: Server complains that signature is valid but contents not encrypted
NTLM creds with EncryptAndSign: Server complains about message format
NTLM creds with Sign: gss_wrap fails on client side

[vijaykota]

For Linux, we are working with RedHat engineers: https://fedorahosted.org/gss-ntlmssp/ticket/8
Possible issues are:

1. gss_wrap on client side may not be interoperable with WIndows SSPI VerifySignature on server side (used via NegotiateStream.AuthenticateAsServerAsync). Reference: https://msdn.microsoft.com/en-us/library/ms995352.aspx
2. Use gss_set_cred_options(NO_CI_FLAGS_X_OID) introduced in 1.14.x to force MIT client to negotiate integrity only instead of default of confidentiality+integrity. The issue seems to be the flags interpretation in gss_init_sec_context is not required set like in Windows case.

For OSX, trying to find a solution by posting at https://discussions.apple.com/message/29893662#29893662

[vijaykota]

Update for Kerberos case: gss_set_cred_option(GSS_KRB5_CRED_NO_CI_FLAGS_X) can be used on OSX. This will work on Linux also if MIT krb5 1.14 is installed. Please see explanation at krb5/krb5@7e6965a

[rahulkotecha-zz]

For OSX issues, also posted in heimdal mailing list:
http://article.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/8097

[rahulkotecha-zz]

"Kerberos creds with sign" part of the issue has been fixed for both Linux and OSX and is part of PR dotnet/corefx#6989

[stephentoub]

@joshfree, @rahulkotecha, should this be brought back to 1.0.0-rtm rather than 1.1.0?

[joshfree]

@terlochan any update since March?

[rahulkotecha-zz]

@joshfree, The fix for this is in third party linux packages (kerb5-libs and gssntlmssp). We've been working with RedHat engineer for this and expected to get the details of the fix this week.

[joshfree]

@rahulkotecha @terlochan what about for non-RHEL distros? What about OS X?

[rahulkotecha-zz]

The fix has been pushed upstream in MIT Kerberos source (krb5/krb5#436). Hence we can expect the fix to be available on all *nix platforms, starting krb5-1.15. As per RedHat engineer, the fix will be backported to RHEL 7 which will have 1.14+ patches.

[joshfree]

Thanks @rahulkotecha. I'll switch this to a release notes bug. Please work with @leecow to get this extra information tracked in the release notes and known issues

[leecow]

Captured in release note working doc