HttpClient(AndroidMessageHandler) with NTLM v2 auth and Self Signed Certificate returns 401 Unauthorized

[AzizBelAbed]

Description

I'm using an on-premise exchange server with NTLM v2 authentication.
When attempting to authenticate using HttpClient and AndroidMessageHandler, I encounter a 401 Unauthorized error, specifically due to a self-signed certificate. Interestingly, when using a public certificate, authentication proceeds without any issues.

Old ticket: #102107
Issue still reproducible using .NET9

Here parts of the code:

var _httpClientHandler = new CustomAndroidMessageHandler();
var _credentials = new CredentialCache
{
{ new Uri(serverEndpoint), "NTLM", new NetworkCredential(emailEntry.Text, passwordEntry.Text)}
};
_httpClientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; };
_httpClientHandler.Credentials = _credentials;
HttpClient httpclient = new HttpClient(_httpClientHandler);

public class CustomAndroidMessageHandler : AndroidMessageHandler
{
protected override async Task WriteRequestContentToOutput(
HttpRequestMessage request,
HttpURLConnection httpConnection,
CancellationToken cancellationToken)
{
var stream = await request.Content.ReadAsStreamAsync().ConfigureAwait(false);
await stream.CopyToAsync(httpConnection.OutputStream!, 4096, cancellationToken).ConfigureAwait(false);

if (stream.CanSeek)
{
stream.Seek(0, SeekOrigin.Begin);
}
}
}

I added

<AndroidUseNegotiateAuthentication>true</AndroidUseNegotiateAuthentication>

in csproj

Reproduction Steps

.

Expected behavior

Working.

Actual behavior

401 Unauthorized.

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[AzizBelAbed]

@simonrozsival Issue still reproducible using .NET9

[simonrozsival]

@AzizBelAbed thanks for re-opening the issue. Is the authentication failing with SocketsHttpHandler in .NET 9?

[simonrozsival]

/cc @vitek-karas

[dotnet-policy-service]

Tagging subscribers to 'arch-android': @vitek-karas, @simonrozsival, @steveisok, @akoeplinger
See info in area-owners.md if you want to be subscribed.

[wfurt]

Do you have extended protection enabled on the server side @AzizBelAbed? e.g. channel binding?

[wfurt]

The extended protection should have been fixed by #95898. I'm wondering if you could try SocketsHttpHandler on Linux against that very server while forcing UseManagedNtlm @AzizBelAbed. That would give us insight if the underlying implementation is capable of authenticating. And perhaps could you share your testing certificate? You can create new one with same structure but different key pair.

Any other recommendations @filipnavara ?

[mendorf]

@wfurt how do you want the certificate to be shared? We got the original PFX for an internal development server where we face the issues. Where should we send it?

[wfurt]

My visibility to the Android handler is limited. I was hoping that if you can try the managed implementation it could give us some clues @mendorf