Docs for new Negotiate auth handler

[Tratcher]

Docs for dotnet/aspnetcore#9831

This may be an addition to or spinoff from https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-2.2&tabs=visual-studio

This is a new authentication handler for Kerberos and NTLM and is intended for cross platform use.

WARNING: This component can persist credentials across requests on a given connection and MUST NOT be used with proxies unless they maintain a 1:1 connection affinity. This means it must not be used with Kestrel behind IIS (ANCM) out-of-proc.

Configuration:

• The code and options are quite minimal, but configuring your environment can be very complicated, especially for Kerbers, Linux, etc.. That's out of scope for this doc but we should link to some guides on environment setup.
• This only works with Kestrel.
• It is supported on Windows, Mac, and Linux
• We expect the primary usage to be Windows clients connecting to Linux servers that are part of the same Windows domain.
• HTTP/2 is not supported, but most clients automatically downgrade to HTTP/1.1 when challenged.

Results:

• On Windows this produces a WindowsPrincipal and WindowsIdentity.
• On Unix this produces a ClaimsIdentity with the name of the user ([email protected]). (No roles, etc.)

[Tratcher]

Usage sample:

        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthorization(options =>
            {
                // Require all requests to be authenticated unless an endpoint is marked as AllowAnonymous
                options.FallbackPolicy = options.DefaultPolicy;
            });
            services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
                .AddNegotiate();
        }

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            app.UseAuthentication();
            app.UseAuthorization();
            app.Run(HandleRequest);
        }

        public async Task HandleRequest(HttpContext context)
        {
            var user = context.User.Identity;
            await context.Response.WriteAsync($"Authenticated? {user.IsAuthenticated}, Name: {user.Name}, Protocol: {context.Request.Protocol}");
        }

[Tratcher]

Environment setup:

Windows:

• The only special setup for a Windows server is to add SPNs on the domain controller.
• setspn -S HTTP/mysrevername.mydomain.com myuser from an admin command prompt.
• Note the SPNs are added to the user account that will be running the web service, not to the machine account where the web service runs. This implementation happens in user mode, not kernel mode.

Linux:
Instructions for joining a Linux machine to the domain (tested using Ubuntu18.04):
https://docs.microsoft.com/en-us/sql/azure-data-studio/enable-kerberos?view=sql-server-2017#join-your-os-to-the-active-directory-domain-controller

Additional steps:

• The Linux install list seems outdated, I had to replace python-software-properties with python3-software-properties
• Once the linux machine is on the domain you need to provide a keytab file with the SPNs.
• On the domain controller add new SPNs for the web service to the machine account
• setspn -S HTTP/mywebservice.mydomain.com mymachine
• setspn -S HTTP/[email protected] mymachine
• ktpass -princ HTTP/[email protected] -pass mykeytabfilepassword -mapuser MYDOMAIN\mymachine$ -pType KRB5_NT_PRINCIPAL -out c:\temp\mymachine.HTTP.keytab -crypto AES256-SHA1
• Copy that keytab to the linux machine.
• Select that keytab via environment variable:
  • export KRB5_KTNAME=/tmp/mymachine.HTTP.keytab
  • klist

@blowdart who would be a good person to review these instructions?

[blacksnake-rus]

Environment setup:
Additional steps:

If my app is deployed in docker, then i must to follow all these instructions inside the container?

[Tratcher]

I haven't tried that yet. Note keytab files can be re-used so you should be able to do this setup once and then copy it into the container. Let me know how that goes.