xplat Integrated Windows Authentication (ntlm/Kerberos) #4662
Comments
|
From @davidfowl on January 25, 2018 15:23 We don't have any plans AFAIK to support windows authentication when running on linux. There were discussions we had early on about how windows authentication could be supported in Kestrel, but that was by calling back into windows, not writing a fully managed implementation of ntlm, kerberos etc. |
|
From @evil-shrike on January 25, 2018 15:33
This is a very pity, especially in contract with the support of Kerberos in Java... May I ask what are reasonings for such a decision? |
|
From @blowdart on January 25, 2018 15:35 Because it would be too risky and too hard to secure. We're not about to take a dependency on Samba. |
|
From @khellang on January 25, 2018 15:43 According to https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-active-directory-authentication, it looks like RHEL, SUSE and Ubuntu already have clients for Kerberos, though? |
|
From @Tratcher on January 25, 2018 17:28 It's not impossible, but it's an extremely large and high risk work item. We're still working on Kestrel's fundamentals such as protocol correctness, stability and performance. Large, high risk features will need to wait. |
|
From @evil-shrike on January 25, 2018 18:17 Well, ok, it's too early to expect Windows-auth in Kestrel, but we need some guidance on how to support Windows-auth on Linux in general in the meantime. I can see two approaches:
So any recommendations (or any other piece of advice) are highly desirable. |
|
From @Tratcher on January 25, 2018 22:8 Your first scenario could be accomplished using OpenIdConnect and an auth server like IdentityServer4. |
|
@blowdart HI |
|
@evil-shrike when you say "Windows Authentication" what do you mean? Do you want
Or something else altogether. One thing to note up front - it's extremely unlikely we'd implement NTLM, that protocol needs to die and since Win2k it's Kerberos anyway. |
|
@blowdart I guess all these and other use-cases will find their use if we say "dotnetcore supports Windows auth on Linux". I mean people will want them. But in my particular case I need the 1st one - "I want to use Windows Authentication to authenticate against a web site". Also we need to be able to talk to LDAP/AD. It was overwhelming to know that currently we don't have API for LDAP/AD access on Linux (no System.DirectoryServices.Protocols). I wouldn't care about NTLM if we'll have Kerberos. But correct me if I'm wrong that this means that authenticating via local Windows users won't work, right (as Kerberos requires a domain)? |
|
WRT NTLM: There's no local Windows users on a Linux system ... is that really a problem? Directory Services is apparently coming, but that's .NET Core rather than ASP.NET Core. The fun part of this is it might have to be part of .NET Core, because really WindowsPrincipal is very fixed to Windows, and that's what would do the delegation flow/impersonation. We'd have to examine the possibility of KerberosPrincipal of something of that ilk, but honestly the use cases need to come first to allow me to justify it and get the scope of the work figured out. |
yeah, sure, not a problem, sorry ) |
|
Another question - is this for a stand alone box, or for containers? I ask because joining your containers to a domain, or setting up SPNs for them seems wrong. In that case, if all you want is auth for a web site, using OIDC or WSFed to an ADFS server seems like the better option, this way it's clean with no dependencies. That way auth is taking care of by an auth provider, and your container has no pollution that demands connections to non-container infrastructure. (Forgive me if I'm not using the right container terms here) |
|
I needed it for standalone server. |
|
Well, ADFS would just be a typical external identity flow, either OIDC or WS-Fed, and it'd work like Facebook, twitter or goggle, or indeed an external auth, except ADFS knows what your internal network is, and supports integrated auth too, so it's automatic for internal users. Anyway, as you can imagine Kerberos / SPNEGO / Integrated, whatever you want to call it, would be a brand new feature. So this will popped on the backlog, and as each new version starts planning we'll revisit it. |
|
For research purposes (most are out of date, but a decent starting point) Kerberos is a network authentication protocol for client/server applications & SPNEGO provides a mechanism for extending Kerberos to Web applications through HTTP https://msdn.microsoft.com/en-us/library/ms995330.aspx HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol RFC 4120 - The Kerberos Network Authentication Service (V5) |
|
My use case would be for ASP.Net Core living in a docker container on Linux needing to connect to legacy Sql Server on Windows which currently uses AD Groups associated with roles for Authorization. In legacy .net apps. connections to sql server are usually done with service accounts that are in AD. |
|
@undecided2013 Have you progressed with a solution for this? I have the exact same use case. |
|
@blowdart Here's a managed-only implementation of Kerberos on .NET (xplat) you might wanna look at for implementing this: Kerberos.NET. It uses a @undecided2013 This is possible to do if you install Kerberos client dependencies inside the container (e.g. |
|
OK folks, give me survey love :) https://microsoft.qualtrics.com/jfe/form/SV_9LvT1hbZ2nHHcFv will help us understand what you want, you might even get followup calls to discuss it in greater detail. Free feel to spread the survey link around. |
aspnet-hello
added
area-auth
|
Setting milestone to preview6 so it's out of the generic 3.0.0 milestone. |
|
Will it be a |
|
@John0King my current prototype is as an auth package. Either way we need some new connection state features from the server, so it will only work with Kestrel. |
|
FYI: There's a draft PR for this now at #9831. |
|
Announcement: In preview5 we added support to NegotiateStream for server scenarios on Linux. In the next milestone we will implement HTTP server auth using the same underlying libraries. |
Tratcher
added
Done
|
Verified in SDK 3.0.100-preview6-012105-1 on Ubuntu. |
Tratcher
added
the
accepted
|
Now it is possible to use Kestrel with Nginx as reverse proxy and SPNEGO module to get Kerberos is working and i can use authorize attribute or get login using HttpContext.Current.User.Identity.Name? |
|
Yes. Careful though: I don't think NGinx guarantees that. |
|
Suppose I want to experiment inside the company in which I work, but I do not understand the simplest thing. If I publish a simple web api application on Linux with Windows enabled and anonymous authentication and add the Authorize attribute to the controller, then the application throws an exception defaultscheme must be specify. Maybe some other opportunities to make Kerberos work on Linux with Kestrel, even if not official? |
|
@concretor91 Maybe you are missing this services.AddAuthorization(options => |
|
@durranitech |
|
The docs for this are available here: |
|
@Tratcher Thanks. Very glad this is coming in 3.0. Are there any plans for including the AD groups in the identity ? With this package, the only claim included is |
Not in this release. Please open a new issue to track that ask. So far we haven't even identified the APIs/libraries necessary to make that work on Linux. We don't process tickets directly, we rely on SChannel and GSS to handle that. |
|
@blowdart In the following comment that you posted, can you explain how to achieve the third scenario in asp.net core mvc 2.1?
|
|
We have not implemented scenario 3. It’s in the backlog for now. The sql team has ways to configure the Linux client for integrated auth but that’s for a machine account, not via a delegated identity.
…________________________________
From: Niyam Shah <[email protected]>
Sent: Friday, August 30, 2019 1:16:44 PM
To: aspnet/AspNetCore <[email protected]>
Cc: Barry Dorrans <[email protected]>; Mention <[email protected]>
Subject: Re: [aspnet/AspNetCore] xplat Integrated Windows Authentication (ntlm/Kerberos) (#4662)
@blowdart<https://github.com/blowdart> In the following comment that you posted, can you explain how to achieve the third scenario in asp.net core mvc 2.1?
Basically I have a self-contained .net core mvc app deployed to linux and it needs to be able to connect to an SQL Server with integrated security, both the linux server and sql server being in a corporate intranet. Any help would be much appreciated!
@evil-shrike<https://github.com/evil-shrike> when you say "Windows Authentication" what do you mean?
Do you want
1. "I want to use Windows Authentication to authenticate against a web site"
2. "I want to use Windows Authentication to authenticate against a web site and then I want to be able to impersonate that user so I can access network resources"
3. "I want to run my web site under a linux account that comes from a domain via kerberos and let it talk to SQL as that account"
Or something else altogether.
One thing to note up front - it's extremely unlikely we'd implement NTLM, that protocol needs to die and since Win2k it's Kerberos anyway.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#4662>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAGCNCWJW5X3UB6D2H3YUYDQHF52ZANCNFSM4GKCZW2Q>.
|
|
@blowdart Ah okay, thanks for the quick reply. Any article/page on configuring for a machine account as you mentioned? Might be helpful for figuring out a workaround |
|
@blowdart Thanks! |
|
Hi, in my scenario the users log in from a Windows DC to their Windows OSs where they would use a browser based (TS) or desktop (.Net) client for accessing different services. The services and a central IdentityServer4 that issues the tokens and handles other authentication scenarios as well, runs in Linux based docker containers. My aim is to use SSO and authorize against the IdentityServer4 - LDAP using the already logged in Windows account for the user without prompting for user name and password. The IdentityServer4 is a linux based container - so I cannot use the documented and well known method. Is this scenario possible with the mentioned NegotiateStream release? Thank you |
|
@danielleiszen the docs are here: Little testing has been done in docker though. Let us know if the docs work for you. |
|
@danielleiszen I'm not sure about the details of how IS4 does LDAP, but I'm assuming the requirement can essentially be reduced to having an ASP.NET Core (3.0) web service (your IS4) be capable to authenticate requests using Negotiate, while running in a Linux container. As @Tratcher linked, since 3.0, Kestrel can do Negotiate in a Linux environment with the right prerequisites. These are basically:
Setting this up is mostly explained in this article which is also linked in the Kestrel guide. The issue when you want to do this from Docker, is that you essentially need to run 2 processes: your application and a process that keeps the TGT alive (using A better solution is to have a separate (sidecar) container running that keeps the TGT alive. Your app container and the sidecar container can then share the same Kerberos cache over e.g. a memory volume. Kubernetes helps here, as you can deploy a Pod with those two containers, which means the sidecar is isolated from other applications. That being said, I would recommend using standard OAUTH and JWT if you can avoid using Kerberos as it adds a lot of complexity and is much harder to debug (the Kerberos mechanism is coupled to a lot of non-HTTP systems like AD and DNS). |
ghost
locked as resolved and limited conversation to collaborators
From @evil-shrike on January 25, 2018 12:41
I haven't found any ticket for tracking the xplat Windows-auth support in aspnet/dotnet core.
I understand that currently we have only out-of-the-box Windows auth support in IIS/IISExpress and http.sys and only on Windows.
There's a decent article in docs https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?branch=pr-en-us-3622&tabs=aspnetcore2x on how to configure Windows auth. But it says nothing about non-Windows use-cases.
There're many issues here on Github and questions around on sites like SO on "how to implement Windows authentication in aspnet core on Linux". But all issues are closed with reasoning like "Kestrel doesn't implement Windows auth currenly, use IIS or https.sys". This is understandable but it's unclear what to do if we need to host an app on Linux and support integrated Windows auth (in intranet networks).
So there are several points which need to be addressed:
I understand that strictly speaking this issue is related to Kestrel project probably, but it's more easily to find it here though. Moreover it's implementation details where Windows-auth support should live.
Anyway it should be some source of information describing what to do with aspnet core apps on Linux for adding Windows auth.
Some additional info:
Copied from original issue: #2824
The text was updated successfully, but these errors were encountered: