Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ntlm / Negotiate authentication does not work in HttpClient on Ubuntu 1804 #1

Open
marcino239 opened this issue Feb 18, 2021 · 4 comments
Open

Ntlm / Negotiate authentication does not work in HttpClient on Ubuntu 1804 #1

marcino239 opened this issue Feb 18, 2021 · 4 comments

Comments

@marcino239
Copy link

Referencing issue dotnet/runtime 887
I've used test repo from @JeroenBer and the conclusions are:

Platform Use NetworkCredentials Use CredentialCache
Ubunru1804 .NET Core 3.1 FAIL Success
Ubunru1804 .NET Core 5.0 FAIL FAIL

3.1 works with AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false). If this flag is set to true then nothing works either on 3.1 or 5.0

I'll add wireshark dumps over the next few days

Thanks!
@wfurt
Copy link
Owner

wfurt commented Feb 18, 2021

thanks @marcino239. Can you post your code? As I was thinking about it I think neither NTLM nor the wrapper handles CredentialCache e.g. it expect NetworkCredentials. That is probably not hard to fix. the fact that the NetworkCredentials does not work is more concerning.

@wfurt
Copy link
Owner

wfurt commented Feb 18, 2021

Actually, you can also set Diag=true on the NTLM class and it will print useful info to console. That may be easier than packet capture.

@marcino239
Copy link
Author

marcino239 commented Feb 18, 2021
edited
Loading

I've used stock HttpClient from runtime when testing using @JeroenBer test harness.
Interestingly I did manage to get this repo working (server was IIS, don't remeber which version) for NTLM when NegotiateOEM was used. I had to modify few string copy functions. I couldn't get Negotiate to work.

Working code I am using in my current software looks more or less like this:

// in main
AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);

// in some helper
var handler = new HttpClientHandler()
{
  UseDefaultCredentials = false,
  AutomaticDecompression = DecompressionMethods.GZip,
  PreAuthenticate = true,
};

handler.Credentials = new CredentialCache
{
    {
        new Uri(url),
        "NTLM",
        new NetworkCredential(username, password, domain)
    }
};

I was comparing how curl does NTLM auth and it was more efficient in terms of calls to the server. My plan was to use this repo with DelegatingHandler like @JeroenBer was trying to use in his version however base of Delegating handler was not playing nicely which means setting up new HttpClient instead of reusing existing one.

This plus time constrains meant I went with stock HttpClient. I don't know the dotnet runtime internals unfortunately.

@wfurt
Copy link
Owner

wfurt commented Feb 18, 2021

Ah. The whole recent discussion on dotnet/runtime#887 is about alternative managed implementation of NTLM. The ask was to test that implementation and provide feedback. If that work, it would be considered for inclusion in 6.0.
It seems like your setup is somehow different and it may be interesting test case.

If you want to investigate the stock behavior, I would suggest to open separate issue as it had nothing to do with macOS (or this effort)

Note that System.Net.Http.UseSocketsHttpHandler does nothing in 5.0. Old curl handler was removed and will not be back. I assume you have default version of the gss-ntlmssp package?

@marcino239 marcino239 mentioned this issue Mar 10, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcino239 @wfurt