[✨ Triage] dotnet/runtime#119298 by FixRM - Negotiate to NTLM authentication fallback not working #1431
Description
Triage for dotnet/runtime#119298.
Repo filter: All networking issues.
MihuBot version: d83a1d.
Ping MihaZupan for any issues.
This is a test triage report generated by AI, aimed at helping the triage team quickly identify past issues/PRs that may be related.
Take any conclusions with a large grain of salt.
Tool logs
dotnet/runtime#119298: Negotiate to NTLM authentication fallback not working by FixRM
[Tool] Searching for Negotiate to NTLM fallback not working, SocketsHttpHandler NTLM fallback, Windows authentication NTLM fallback, YARP NTLM fallback, issue 28531 (IncludeOpen=True, IncludeClosed=True, IncludeIssues=True, IncludePullRequests=True, Repository=dotnet/runtime)
[Tool] Searching for NTLM fallback regression, SocketsHttpHandler Windows authentication 401, ICredentials NTLM workaround (IncludeOpen=True, IncludeClosed=True, IncludeIssues=True, IncludePullRequests=True, Repository=dotnet/runtime)
[Tool] Obtained 1 comments for issue #28531: Negotiate to NTLM authentication fallback not working
[Tool] Obtained 0 comments for issue #119298: Negotiate to NTLM authentication fallback not working
[Tool] Obtained 26 comments for issue #24490: NTLM authentication HttpClient in Core
[Tool] Obtained 9 comments for issue #1582: HTTP2: SocketsHttpHandler doesn't downgrade to HTTP/1.1 during Windows authentication
[Tool] Obtained 4 comments for issue #25391: SocketsHttpHandler NTLM doesn't work
[Tool] Obtained 24 comments for issue #25827: SocketsHttpHandler: NTLM auth does not work by default on Unix
[Tool] Obtained 7 comments for issue #40222: fix regression in ChannelBinding/NTLM auth
[Tool] Obtained 20 comments for issue #26461: SocketsHttpHandler throws exception when authenticating proxy or server closes first 407 response
[Tool] Obtained 1 comments for issue #25368: SocketHttpHandler is failing NTLM authentication to proxy
[Tool] Obtained 32 comments for issue #17545: NTLM credentials not sent by client when there are multiple WWW-Authenticate headers
[Tool] Obtained 20 comments for issue #25291: NTLM authentication sometimes broken by multiple WWW-Authenticate headers
[Tool] Obtained 26 comments for issue #26397: .NET Core 2.1 SocketsHttpHandler proxy authentication using Windows auth is broken
[Tool] Obtained 13 comments for issue #28532: HTTPS and NTLM authentication throw PlatformNotSupportedException
[Tool] Obtained 11 comments for issue #44018: NTLM authentication HttpClient in Core 3.1 returns a 401
[Tool] Obtained 6 comments for issue #25688: Bad request created when a 401 is received after a Negotiate login
[Tool] Obtained 16 comments for issue #29748: NTLM not working on Linux
[Tool] Obtained 22 comments for issue #32680: NTLM support in Android
[Tool] Obtained 22 comments for issue #887: NTLM interop problems with MacOS
[Tool] Obtained 16 comments for issue #101058: NTLM authentication not working in Linux based environment
[Tool] Obtained 21 comments for issue #31110: Regression 2.1.13: AuthenticationException in Centos 7 using WCF
[Tool] Obtained 2 comments for issue #17012: Kerberos to ntlm fallback is not happening with the ntlmssp plugin when passed valid ntlm creds.
[Tool] Obtained 10 comments for issue #35365: NTLM authentication HttpClient in Core 3.1
[Tool] Obtained 20 comments for issue #94303: SocketsHttpHandler cannot authenticate NTLM with username format user@domain.com
[Tool] Obtained 5 comments for issue #97691: The SocketsHttpHandler cannot authenticate NTLM with the username format domain\samAccountName
[Tool] Obtained 6 comments for issue #75579: NTLM fails for HTTP only connection
[Tool] Obtained 20 comments for issue #95274: Use managed ntlm on linux-bionic
[Tool] Obtained 11 comments for issue #18362: "WinHttpException: The parameter is incorrect" when server return 401
[Tool] Obtained 3 comments for issue #113145: SocketsHttpHandler retries with useless "Authorization" header when SystemNetworkCredential is in use
[Tool] Obtained 3 comments for issue #31592: HttpClient sends NTLM ticket, even though it only has Negotiate credentials
[Tool] Obtained 6 comments for issue #59983: Can't authorize in asp.net server with kerberos (401)
[Tool] Obtained 20 comments for issue #51701: HttpClient UseDefaultCredentials Get with kerberos auth server sends NTLM
[Tool] Obtained 9 comments for issue #113414: Allow NTLM tests on newer Linux distributions
[Tool] Obtained 1 comments for issue #85633: enable ntlm tests on RHEL7 again
[Tool] Obtained 10 comments for issue #102107: HttpClient(AndroidMessageHandler) with NTLM v2 auth and Self Signed Certificate returns 401 Unauthorized
[Tool] Obtained 7 comments for issue #110523: HttpClient(AndroidMessageHandler) with NTLM v2 auth and Self Signed Certificate returns 401 Unauthorized
[Tool] Obtained 11 comments for issue #15392: Investigate feasibility of supporting NTLM protocol on non-Windows platforms
[Tool] Obtained 17 comments for issue #99227: NET8 WcfClient (net-tcp binding) running on linux cannot be authenticated on WCF Server hosted on windows if UseManagedNtlm is set
[Tool] Obtained 12 comments for issue #82547: NTLM 401 macOS (Apple sillicon)
[Tool] Obtained 0 comments for issue #71427: Enhance the NTLM negotiation testing on Linux/macOS
[Tool] Obtained 4 comments for issue #65627: NTLM: Enable MIC generation with the gss-ntlmssp provider
[Tool] Found 52 issues, 474 comments, 40 returned results (18031 ms)
[Tool] Obtained 1 comments for issue #28531: Negotiate to NTLM authentication fallback not working
[Tool] Obtained 1 comments for issue #28531: Negotiate to NTLM authentication fallback not working
[Tool] Obtained 0 comments for issue #119298: Negotiate to NTLM authentication fallback not working
[Tool] Obtained 4 comments for issue #25391: SocketsHttpHandler NTLM doesn't work
[Tool] Obtained 25 comments for issue #25827: SocketsHttpHandler: NTLM auth does not work by default on Unix
[Tool] Obtained 25 comments for issue #24490: NTLM authentication HttpClient in Core
[Tool] Obtained 9 comments for issue #1582: HTTP2: SocketsHttpHandler doesn't downgrade to HTTP/1.1 during Windows authentication
[Tool] Obtained 13 comments for issue #28532: HTTPS and NTLM authentication throw PlatformNotSupportedException
[Tool] Obtained 20 comments for issue #94303: SocketsHttpHandler cannot authenticate NTLM with username format user@domain.com
[Tool] Obtained 3 comments for issue #42945: Issue 42839
[Tool] Obtained 1 comments for issue #37980: Issue 37161
[Tool] Obtained 16 comments for issue #29748: NTLM not working on Linux
[Tool] Obtained 28 comments for issue #17545: NTLM credentials not sent by client when there are multiple WWW-Authenticate headers
[Tool] Obtained 16 comments for issue #101058: NTLM authentication not working in Linux based environment
[Tool] Obtained 20 comments for issue #25291: NTLM authentication sometimes broken by multiple WWW-Authenticate headers
[Tool] Obtained 21 comments for issue #26782: Http Negotiate authentication fails on Unix
[Tool] Obtained 1 comments for issue #25368: SocketHttpHandler is failing NTLM authentication to proxy
[Tool] Obtained 5 comments for issue #97691: The SocketsHttpHandler cannot authenticate NTLM with the username format domain\samAccountName
[Tool] Obtained 10 comments for issue #35365: NTLM authentication HttpClient in Core 3.1
[Tool] Obtained 0 comments for issue #28530: Incorrect exception message shown during NTLM authentication
[Tool] Obtained 20 comments for issue #46432: Issue 45021
[Tool] Obtained 22 comments for issue #32680: NTLM support in Android
[Tool] Obtained 7 comments for issue #66549: Issue 66496
[Tool] Obtained 3 comments for issue #83820: Issue 83667
[Tool] Obtained 12 comments for issue #33191: Remove calls to empty RuntimeHelpers.PrepareConstrainedRegions()
[Tool] Obtained 1 comments for issue #33629: Delete unnecessary ReferenceSystemPrivateCoreLib from CoreCLR tests
[Tool] Obtained 3 comments for issue #108878: Authentication is failing for domain user while connecting winrm with Negotiate auth type from the Ubuntu Linux
[Tool] Obtained 20 comments for issue #100231: NegotiateStream fails when authenticating from linux client to windows server
[Tool] Obtained 13 comments for issue #102483: NTLM does not always work properly on all platforms with MAUI with SocketsHttpHandler
[Tool] Obtained 21 comments for issue #887: NTLM interop problems with MacOS
[Tool] Obtained 20 comments for issue #64614: NetworkAddressChange.Unix: use async Socket API to wait for events.
[Tool] Obtained 12 comments for issue #55674: Consider CALLFINALLY block as pred of finally block during assertion props
[Tool] Obtained 2 comments for issue #64596: System.IO work planned for .NET 7
[Tool] Obtained 10 comments for issue #44511: Isolated Storage gives CodeBase is not supported on assemblies loaded from a single-file bundle.
[Tool] Obtained 6 comments for issue #75294: [release/6.0] Bump the macOS image to one that isn't EOL yet
[Tool] Obtained 3 comments for issue #45307: Fix issue 45183
[Tool] Obtained 7 comments for issue #98101: [mt][browser] `HttpClient_CancelInDifferentThread` failing with operation cancelled
[Tool] Obtained 3 comments for issue #70945: Ensure JsonSerializer / source generator works well with required members
[Tool] Obtained 13 comments for issue #54058: #54008 Issue Fix
[Tool] Obtained 6 comments for issue #44780: MutexTests.CrossProcess_NamedMutex_ProtectedFileAccessAtomic failure on Linux
[Tool] Obtained 20 comments for issue #75012: New ASCII APIs
[Tool] Found 75 issues, 442 comments, 41 returned results (25341 ms)
Here are the most relevant related issues and discussions to issue #119298, "Negotiate to NTLM authentication fallback not working":
1. Issue #28531 (Jan 2019) - Negotiate to NTLM authentication fallback not working
- Summary: This is the issue directly referenced by the new report. It describes how, as of .NET Core 2.1,
SocketsHttpHandleron Windows should fall back from Kerberos to NTLM when Kerberos is unavailable, but this fallback was not working on non-Windows platforms. The issue was fixed for non-Windows in PR dotnet/corefx#35383, and the fix shipped in .NET Core 3.0. On Windows, fallback is handled by the Windows SSPI Negotiate module and should work. - Resolution: Fixed in .NET Core 3.0 for non-Windows. On Windows, fallback is expected to work via SSPI.
2. Issue #24490 (Dec 2017) - NTLM authentication HttpClient in Core
- Summary: Users reported that NTLM authentication with
HttpClientandCredentialCache.DefaultNetworkCredentialsworks on .NET Framework but not on .NET Core, especially when both Kerberos and NTLM are enabled on the server. The discussion reveals that if both are enabled, the client may not respond to the challenge unless the server is configured to only allow NTLM. - Key Comments:
- The client will always pick the strongest scheme (Negotiate/Kerberos) if available, even if only NTLM credentials are provided.
- Workarounds include using a
CredentialCachewith only NTLM, or configuring the server to only offer NTLM. - There is a bug in .NET Core where the fallback to NTLM does not happen if Negotiate is offered but cannot be satisfied.
- Relevance: This is the same scenario as the new issue: fallback from Negotiate to NTLM does not occur, resulting in a 401.
3. Issue #25291 (Mar 2018) - NTLM authentication sometimes broken by multiple WWW-Authenticate headers
- Summary: When a server offers both Negotiate and NTLM, and the client only provides NTLM credentials, the client may fail to authenticate if it tries Negotiate first and does not fall back to NTLM. This was fixed in .NET Core 2.1.
- Key Comments:
- The fix was to ensure that if the strongest scheme (Negotiate) cannot be satisfied, the client should fall back to NTLM if available.
- Workarounds included using a
CredentialCachewith both Negotiate and NTLM, or configuring the server to only offer NTLM.
- Relevance: Reinforces the fallback logic and the importance of proper credential selection.
4. Issue #25827 (Apr 2018) - SocketsHttpHandler: NTLM auth does not work by default on Unix
- Summary: On Unix, NTLM authentication requires the
gss-ntlmssppackage. Without it, fallback from Negotiate to NTLM will not work. On Windows, fallback is handled by SSPI. - Key Comments:
- On Windows, fallback should work if the system is configured correctly.
- On Unix, explicit installation of NTLM support is required.
- Relevance: Confirms that on Windows, fallback is expected to work, but there may be edge cases or regressions.
5. Issue #29748 (June 2019) - NTLM not working on Linux
- Summary: Reports that NTLM fallback does not work on Linux unless the required packages are installed, and that fallback logic is not present in .NET Core 2.1 but is fixed in .NET Core 3.0.
- Key Comments:
- On Windows, fallback is handled by SSPI.
- On Linux, explicit credentials and packages are required.
- Relevance: Confirms the platform-specific behavior.
6. Issue #35365 (Apr 2020) - NTLM authentication HttpClient in Core 3.1
- Summary: Reports that NTLM authentication with
UseDefaultCredentialsworks in .NET Core 2.2 but not in 3.1. Workarounds include disablingSocketsHttpHandleror using explicit credentials. - Key Comments:
- There are subtle differences in how fallback and credential selection work between versions.
- Disabling
SocketsHttpHandleris not a long-term solution.
- Relevance: Suggests there may be regressions or subtle changes in fallback behavior in newer .NET versions.
7. Issue #94303 (Nov 2023) - SocketsHttpHandler cannot authenticate NTLM with username format userdomaincom
- Summary: On iOS, SocketsHttpHandler did not handle UPN (userdomaincom) format for NTLM, but this was fixed in .NET 8 with the
UseManagedNtlmswitch. The managed NTLM implementation is now the default for .NET 9 on macOS/iOS. - Relevance: Shows ongoing improvements and fixes in NTLM/Negotiate handling in recent .NET versions.
8. Issue #119298 (Sep 2025) - Negotiate to NTLM authentication fallback not working (current issue)
- Summary: The user reports that on Windows Server 2016 with .NET 9.0, using YARP as a proxy to an IIS WebAPI with Windows authentication,
SocketsHttpHandlerdoes not fall back to NTLM if Kerberos is unavailable, resulting in a 401. Framework-based HTTP clients work. A workaround is to force NTLM with a customICredentialsimplementation. - Key Details:
- This is a regression compared to .NET Framework.
- The workaround is to force NTLM by returning credentials only for the NTLM scheme.
Conclusions and Recommendations
- This is a known class of issue: There is a long history of problems with fallback from Negotiate to NTLM, especially when both are offered by the server and the client cannot satisfy Negotiate/Kerberos.
- On Windows, fallback should work via SSPI: However, there have been regressions and subtle changes in behavior across .NET Core and .NET 5/6/7/8/9.
- Workarounds: Forcing NTLM via a custom
ICredentialsimplementation is a common workaround, but not ideal. - Recent changes: There have been ongoing improvements to NTLM/Negotiate handling, especially in cross-platform scenarios and with the managed NTLM implementation.
- Action: This may be a regression or an unaddressed edge case in .NET 9.0 on Windows. It would be valuable to compare the behavior with .NET Framework and earlier .NET Core versions, and to collect traces to confirm whether SSPI is being used as expected.
Additional Related Issues
- #1582 - HTTP2: SocketsHttpHandler doesn't downgrade to HTTP/1.1 during Windows authentication
- #25391 - SocketsHttpHandler NTLM doesn't work
- #17545 - NTLM credentials not sent by client when there are multiple WWW-Authenticate headers
If you need more detail on any specific issue or workaround, let me know!