Fix Kerberos/NTLM for multiple domain/realm environments in Linux

David Shulman · David Shulman · commit 0b989eb0e2d4 · 2019-03-24T22:01:51.000Z
This PR addresses some issues reported by a customer (not thru GitHub). They noticed that multiple domain scenarios were working in .NET Core 2.0 but broke in .NET Core 2.1 on Linux While the previous PR #35383 solved the Negotiate Kerberos to NTLM fallback issue, it added more complexity than necessary. The retry logic I added wasn't really necessary because the original code that used GSS_KRB5_NT_PRINCIPAL_NAME format for the target name was wrong. That logic only works for pure Kerberos environments and doesn't handle domain or realm referrals. So, it only handles the default Kerberos realm on the the single Linux client. In addition, using GSS_KRB5_NT_PRINCIPAL_NAME defeats the logic of the SPNEGO mechanism. That is why I originally needed to add the retry logic using GSS_C_NT_HOSTBASED_SERVICE format for the target name. The multiple domain/realm scenario worked in .NET Core 2.0 because it used CurlHandler. And libcurl always uses GSS_C_NT_HOSTBASED_SERVICE format for target name. This PR reworks the logic to use the GSS_C_NT_HOSTBASED_SERVICE format. It also removes the now unneeded retry logic. I tested this against Windows and Linux as well as pure Kerberos and Kerberos to NTLM fallback (using SPNEGO). I added more tests. These tests are currently part of the enterprise scenario tests we are building. They are activated via environment variables. By definining all of the environment variables below, I am able to run the System.Net.Security and System.Net.Http enterprise-scenario tests. Both SocketsHttpHandler in System.Net.Http and NegotiateStream in System.Net.Security use the same common GSS-API logic in CoreFx. Define domain-joined server remote endpoint: * COREFX_NET_SECURITY_NEGOSERVERURI * COREFX_DOMAINJOINED_HTTPHOST * COREFX_NET_AD_DOMAINNAME * COREFX_NET_AD_PASSWORD * COREFX_NET_AD_USERNAME Define standalone server remote endpoint: * COREFX_NET_SERVER_PASSWORD * COREFX_NET_SERVER_USERNAME * COREFX_WINDOWSSERVER_HTTPHOST
diff --git a/src/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.cs b/src/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.cs
@@ -41,7 +41,6 @@ internal static extern Status ImportTargetName(
             out Status minorStatus,
             string inputName,
             int inputNameByteCount,
-            bool isNtlmTarget,
             out SafeGssNameHandle outputName);
 
         [DllImport(Interop.Libraries.NetSecurityNative, EntryPoint="NetSecurityNative_ReleaseName")]
@@ -77,9 +76,7 @@ internal static extern Status InitSecContext(
             bool isNtlmOnly,
             IntPtr cbt,
             int cbtSize,
-            bool isNtlmFallback,
-            SafeGssNameHandle targetNameKerberos,
-            SafeGssNameHandle targetNameNtlm,
+            SafeGssNameHandle targetName,
             uint reqFlags,
             byte[] inputBytes,
             int inputLength,
diff --git a/src/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.cs b/src/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.cs
@@ -31,13 +31,13 @@ public static SafeGssNameHandle CreateUser(string name)
             return retHandle;
         }
 
-        public static SafeGssNameHandle CreateTarget(string name, bool isNtlmTarget)
+        public static SafeGssNameHandle CreateTarget(string name)
         {
             Debug.Assert(!string.IsNullOrEmpty(name), "Invalid target name passed to SafeGssNameHandle create");
             SafeGssNameHandle retHandle;
             Interop.NetSecurityNative.Status minorStatus;
             Interop.NetSecurityNative.Status status = Interop.NetSecurityNative.ImportTargetName(
-                out minorStatus, name, Encoding.UTF8.GetByteCount(name), isNtlmTarget, out retHandle);
+                out minorStatus, name, Encoding.UTF8.GetByteCount(name), out retHandle);
 
             if (status != Interop.NetSecurityNative.Status.GSS_S_COMPLETE)
             {
diff --git a/src/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs b/src/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs
@@ -99,9 +99,7 @@ private static bool GssInitSecurityContext(
             SafeGssCredHandle credential,
             bool isNtlm,
             ChannelBinding channelBinding,
-            bool isNtlmFallback,
-            SafeGssNameHandle targetNameKerberos,
-            SafeGssNameHandle targetNameNtlm,
+            SafeGssNameHandle targetName,
             Interop.NetSecurityNative.GssFlags inFlags,
             byte[] buffer,
             out byte[] outputBuffer,
@@ -143,9 +141,7 @@ private static bool GssInitSecurityContext(
                                                           isNtlm,
                                                           cbtAppData,
                                                           cbtAppDataSize,
-                                                          isNtlmFallback,
-                                                          targetNameKerberos,
-                                                          targetNameNtlm,
+                                                          targetName,
                                                           (uint)inFlags,
                                                           buffer,
                                                           (buffer == null) ? 0 : buffer.Length,
@@ -180,7 +176,6 @@ private static SecurityStatusPal EstablishSecurityContext(
           ref ContextFlagsPal outFlags)
         {
             bool isNtlmOnly = credential.IsNtlmOnly;
-            bool initialContext = false;
 
             if (context == null)
             {
@@ -190,7 +185,6 @@ private static SecurityStatusPal EstablishSecurityContext(
                     NetEventSource.Info(null, $"requested protocol = {protocol}, target = {targetName}");
                 }
 
-                initialContext = true;
                 context = new SafeDeleteNegoContext(credential, targetName);
             }
 
@@ -207,29 +201,21 @@ private static SecurityStatusPal EstablishSecurityContext(
                    credential.GssCredential,
                    isNtlmOnly,
                    channelBinding,
-                   negoContext.IsNtlmFallback,
-                   negoContext.TargetNameKerberos,
-                   negoContext.TargetNameNtlm,
+                   negoContext.TargetName,
                    inputFlags,
                    incomingBlob,
                    out resultBuffer,
                    out outputFlags,
                    out isNtlmUsed);
 
-                if (initialContext)
+                if (done)
                 {
                     if (NetEventSource.IsEnabled)
                     {
                         string protocol = isNtlmOnly ? "NTLM" : isNtlmUsed ? "SPNEGO-NTLM" : "SPNEGO-Kerberos";
                         NetEventSource.Info(null, $"actual protocol = {protocol}");
                     }
 
-                    // Remember if SPNEGO did a fallback from Kerberos to NTLM while generating the initial context.                 
-                    if (!isNtlmOnly && isNtlmUsed)
-                    {
-                        negoContext.IsNtlmFallback = true;
-                    }
-
                     // Populate protocol used for authentication
                     negoContext.SetAuthenticationPackage(isNtlmUsed);
                 }
diff --git a/src/Common/src/System/Net/Security/Unix/SafeDeleteNegoContext.cs b/src/Common/src/System/Net/Security/Unix/SafeDeleteNegoContext.cs
@@ -12,28 +12,13 @@ namespace System.Net.Security
 {
     internal sealed class SafeDeleteNegoContext : SafeDeleteContext
     {
-        private SafeGssNameHandle _targetNameKerberos;
-        private SafeGssNameHandle _targetNameNtlm;
+        private SafeGssNameHandle _targetName;
         private SafeGssContextHandle _context;
-        private bool _isNtlmFallback;
         private bool _isNtlmUsed;
-
-        public SafeGssNameHandle TargetNameKerberos
-        {
-            get { return _targetNameKerberos; }
-        }
-
-        public SafeGssNameHandle TargetNameNtlm
-        {
-            get { return _targetNameNtlm; }
-        }
-
-        // Property represents if SPNEGO needed to fall back from Kerberos to NTLM when
-        // generating initial context token.
-        public bool IsNtlmFallback
+        
+        public SafeGssNameHandle TargetName
         {
-            get { return _isNtlmFallback; }
-            set { _isNtlmFallback = value; }
+            get { return _targetName; }
         }
 
         // Property represents if final protocol negotiated is Ntlm or not.
@@ -53,8 +38,10 @@ public SafeDeleteNegoContext(SafeFreeNegoCredentials credential, string targetNa
             Debug.Assert((null != credential), "Null credential in SafeDeleteNegoContext");
             try
             {
-                _targetNameKerberos = SafeGssNameHandle.CreateTarget(targetName, isNtlmTarget: false);
-                _targetNameNtlm = SafeGssNameHandle.CreateTarget(targetName, isNtlmTarget: true);
+                // Convert any "SERVICE/HOST" style of targetName to use "SERVICE@HOST" style.
+                // This is because the System.Net.Security.Native GSS-API layer uses
+                // GSS_C_NT_HOSTBASED_SERVICE format for targetName.
+                _targetName = SafeGssNameHandle.CreateTarget(targetName.Replace('/', '@'));
             }
             catch
             {
@@ -84,16 +71,10 @@ protected override void Dispose(bool disposing)
                     _context = null;
                 }
 
-                if (_targetNameKerberos != null)
-                {
-                    _targetNameKerberos.Dispose();
-                    _targetNameKerberos = null;
-                }
-
-                if (_targetNameNtlm != null)
+                if (_targetName != null)
                 {
-                    _targetNameNtlm.Dispose();
-                    _targetNameNtlm = null;
+                    _targetName.Dispose();
+                    _targetName = null;
                 }
             }
             base.Dispose(disposing);
diff --git a/src/Native/Unix/System.Net.Security.Native/pal_gssapi.c b/src/Native/Unix/System.Net.Security.Native/pal_gssapi.c
@@ -147,28 +147,15 @@ NetSecurityNative_ImportUserName(uint32_t* minorStatus, char* inputName, uint32_
 uint32_t NetSecurityNative_ImportTargetName(uint32_t* minorStatus,
                                             char* inputName,
                                             uint32_t inputNameLen,
-                                            uint32_t isNtlmTarget,
                                             GssName** outputName)
 {
     assert(minorStatus != NULL);
     assert(inputName != NULL);
-    assert(isNtlmTarget == 0 || isNtlmTarget == 1);
     assert(outputName != NULL);
     assert(*outputName == NULL);
 
-    gss_OID nameType;
-
-    if (isNtlmTarget)
-    {
-        nameType = GSS_C_NT_HOSTBASED_SERVICE;
-    }
-    else
-    {
-        nameType = (gss_OID)(unsigned long)GSS_KRB5_NT_PRINCIPAL_NAME;
-    }
-
     GssBuffer inputNameBuffer = {.length = inputNameLen, .value = inputName};
-    return gss_import_name(minorStatus, &inputNameBuffer, nameType, outputName);
+    return gss_import_name(minorStatus, &inputNameBuffer, GSS_C_NT_HOSTBASED_SERVICE, outputName);
 }
 
 uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
@@ -177,9 +164,7 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
                                           uint32_t isNtlm,
                                           void* cbt,
                                           int32_t cbtSize,
-                                          int32_t isNtlmFallback,
-                                          GssName* targetNameKerberos,
-                                          GssName* targetNameNtlm,
+                                          GssName* targetName,
                                           uint32_t reqFlags,
                                           uint8_t* inputBytes,
                                           uint32_t inputLength,
@@ -190,9 +175,7 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
     assert(minorStatus != NULL);
     assert(contextHandle != NULL);
     assert(isNtlm == 0 || isNtlm == 1);
-    assert(isNtlm == 1 || targetNameKerberos != NULL);
-    assert(isNtlmFallback == 0 || isNtlmFallback == 1);
-    assert(targetNameNtlm != NULL);
+    assert(targetName != NULL);
     assert(inputBytes != NULL || inputLength == 0);
     assert(outBuffer != NULL);
     assert(retFlags != NULL);
@@ -203,6 +186,7 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
 // Note: *contextHandle is null only in the first call and non-null in the subsequent calls
 
 #if HAVE_GSS_SPNEGO_MECHANISM
+    gss_OID krbMech = GSS_KRB5_MECHANISM;
     gss_OID desiredMech;
     if (isNtlm)
     {
@@ -212,9 +196,8 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
     {
         desiredMech = GSS_SPNEGO_MECHANISM;
     }
-
-    gss_OID krbMech = GSS_KRB5_MECHANISM;
 #else
+    gss_OID krbMech = (gss_OID)(unsigned long)gss_mech_krb5;
     gss_OID_desc gss_mech_OID_desc;
     if (isNtlm)
     {
@@ -226,10 +209,8 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
     }
 
     gss_OID desiredMech = &gss_mech_OID_desc;
-    gss_OID krbMech = (gss_OID)(unsigned long)gss_mech_krb5;
 #endif
 
-    *isNtlmUsed = 1;
     GssBuffer inputToken = {.length = inputLength, .value = inputBytes};
     GssBuffer gssBuffer = {.length = 0, .value = NULL};
     gss_OID_desc* outmech;
@@ -242,49 +223,31 @@ uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
         gssCbt.application_data.value = cbt;
     }
 
-    GssName* targetName;
-    if (isNtlm || isNtlmFallback)
+    uint32_t majorStatus = gss_init_sec_context(minorStatus,
+                                                claimantCredHandle,
+                                                contextHandle,
+                                                targetName,
+                                                desiredMech,
+                                                reqFlags,
+                                                0,
+                                                (cbt != NULL) ? &gssCbt : GSS_C_NO_CHANNEL_BINDINGS,
+                                                &inputToken,
+                                                &outmech,
+                                                &gssBuffer,
+                                                retFlags,
+                                                NULL);
+
+    if (isNtlm)
     {
-        targetName = targetNameNtlm;
+        *isNtlmUsed = 1;
     }
-    else
+    else if (majorStatus == GSS_S_COMPLETE && gss_oid_equal(outmech, krbMech) != 0)
     {
-        targetName = targetNameKerberos;
+        *isNtlmUsed = 0;
     }
-    
-    uint32_t majorStatus;
-    uint32_t retryCount = 0;
-    bool retry;
-    do
-    {
-        majorStatus = gss_init_sec_context(minorStatus,
-                                           claimantCredHandle,
-                                           contextHandle,
-                                           targetName,
-                                           desiredMech,
-                                           reqFlags,
-                                           0,
-                                           (cbt != NULL) ? &gssCbt : GSS_C_NO_CHANNEL_BINDINGS,
-                                           &inputToken,
-                                           &outmech,
-                                           &gssBuffer,
-                                           retFlags,
-                                           NULL);
-
-        // If SPNEGO fails to generate optimistic Kerberos token on initial call then fall back to SPNEGO-wrapped NTLM.
-        retry = false;
-        if ((majorStatus == GSS_S_FAILURE || majorStatus == GSS_S_BAD_NAMETYPE) &&
-            *contextHandle == NULL && !isNtlm && ++retryCount <= 1)
-        {
-            targetName = targetNameNtlm;
-            retry = true;
-        }
-    } while (retry);
-
-    // Outmech can be null when gssntlmssp lib uses NTLM mechanism
-    if (outmech != NULL && gss_oid_equal(outmech, krbMech) != 0)
+    else
     {
-        *isNtlmUsed = 0;
+        *isNtlmUsed = 1;
     }
 
     NetSecurityNative_MoveBuffer(&gssBuffer, outBuffer);
diff --git a/src/Native/Unix/System.Net.Security.Native/pal_gssapi.h b/src/Native/Unix/System.Net.Security.Native/pal_gssapi.h
@@ -82,7 +82,6 @@ Shims the gss_import_name method with nametype = GSS_C_NT_USER_NAME.
 DLLEXPORT uint32_t NetSecurityNative_ImportTargetName(uint32_t* minorStatus,
                                                          char* inputName,
                                                          uint32_t inputNameLen,
-                                                         uint32_t isNtlmTarget,
                                                          GssName** outputName);
 
 /*
@@ -110,9 +109,7 @@ DLLEXPORT uint32_t NetSecurityNative_InitSecContext(uint32_t* minorStatus,
                                                     uint32_t isNtlm,
                                                     void* cbt,
                                                     int32_t cbtSize,
-                                                    int32_t isNtlmFallback,
-                                                    GssName* targetNameKerberos,
-                                                    GssName* targetNameNtlm,
+                                                    GssName* targetName,
                                                     uint32_t reqFlags,
                                                     uint8_t* inputBytes,
                                                     uint32_t inputLength,
diff --git a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Authentication.cs b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Authentication.cs
@@ -522,6 +522,41 @@ public static IEnumerable<object[]> ServerUsesWindowsAuthentication_MemberData()
 
         private static bool IsNtlmInstalled => Capability.IsNtlmInstalled();
         private static bool IsWindowsServerAvailable => !string.IsNullOrEmpty(Configuration.Http.WindowsServerHttpHost);
+        private static bool IsDomainJoinedServerAvailable => !string.IsNullOrEmpty(Configuration.Http.DomainJoinedHttpHost);
+
+        [ConditionalFact(nameof(IsDomainJoinedServerAvailable))]
+        public async Task Credentials_DomainJoinedServerUsesKerberos_Success()
+        {
+            if (IsCurlHandler)
+            {
+                throw new SkipTestException("CurlHandler (libCurl) will use existing kinit credential if it exists and ignores explicit credential");
+            }
+
+            using (HttpClientHandler handler = CreateHttpClientHandler())
+            using (var client = new HttpClient(handler))
+            {
+                handler.Credentials = new NetworkCredential(
+                    Configuration.Security.ActiveDirectoryUserName,
+                    Configuration.Security.ActiveDirectoryUserPassword,
+                    Configuration.Security.ActiveDirectoryName);
+
+                var request = new HttpRequestMessage();
+                var server = $"http://{Configuration.Http.DomainJoinedHttpHost}/test/auth/kerberos/showidentity.ashx";
+                request.RequestUri = new Uri(server);
+
+                // Force HTTP/1.1 since both CurlHandler and SocketsHttpHandler have problems with
+                // HTTP/2.0 and Windows authentication (due to HTTP/2.0 -> HTTP/1.1 downgrade handling).
+                // Issue #35195 (for SocketsHttpHandler).
+                request.Version = new Version(1,1);
+
+                using (HttpResponseMessage response = await client.SendAsync(request))
+                {
+                    Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+                    string body = await response.Content.ReadAsStringAsync();
+                    _output.WriteLine(body);
+                }
+            }
+        }
 
         [ConditionalTheory(nameof(IsNtlmInstalled), nameof(IsWindowsServerAvailable))]
         [MemberData(nameof(ServerUsesWindowsAuthentication_MemberData))]

Original file line number	Diff line number	Diff line change
`@@ -31,13 +31,13 @@ public static SafeGssNameHandle CreateUser(string name)`
`31`	`31`	`return retHandle;`
`32`	`32`	`}`
`33`	`33`
`34`		`- public static SafeGssNameHandle CreateTarget(string name, bool isNtlmTarget)`
	`34`	`+ public static SafeGssNameHandle CreateTarget(string name)`
`35`	`35`	`{`
`36`	`36`	`Debug.Assert(!string.IsNullOrEmpty(name), "Invalid target name passed to SafeGssNameHandle create");`
`37`	`37`	`SafeGssNameHandle retHandle;`
`38`	`38`	`Interop.NetSecurityNative.Status minorStatus;`
`39`	`39`	`Interop.NetSecurityNative.Status status = Interop.NetSecurityNative.ImportTargetName(`
`40`		`- out minorStatus, name, Encoding.UTF8.GetByteCount(name), isNtlmTarget, out retHandle);`
	`40`	`+ out minorStatus, name, Encoding.UTF8.GetByteCount(name), out retHandle);`
`41`	`41`
`42`	`42`	`if (status != Interop.NetSecurityNative.Status.GSS_S_COMPLETE)`
`43`	`43`	`{`