Fix SocketsHttpHandler proxy auth for 'Negotiate' scheme

[davidsh]

Issue #39887 reported that proxy authentication with 'Negotiate' scheme broke between
.NET Core 3.0 Preview 6 and Preview 7. The base64 blob was no longer using SPNEGO protocol
but instead was always using NTLM. While 'Negotiate' scheme can use either SPNEGO or NTLM,
it should always use SPNEGO if possible. And many enterprises have a setting which requires
it and rejects NTLM protocol.

This issue was caused by PR #38465 which fixed some other SPN issues with Kerberos
authentication. That PR regressed the SPN calculation for the proxy authentication by
using the wrong host name in the SPN. A mismatch of the SPN will cause NTLM to be used
instead of SPNEGO.

The fix is to check if proxy authentication is being used instead of server authentication.
If so, it ignores any 'Host' header and always will use the uri, which in this case is the
uri of the proxy server.

This was tested manually. It is impossible right now to test Kerberos and proxy scenarios in
CI because they require machine configuration to register SPNs in a Windows Active Directory
environment.

This PR will be ported for release/3.0 for ASK mode consideration since it affects a mainline
enterprise scenario.

Fixes #39887

[davidsh]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 4 pipeline(s).

[wfurt]

LGTM.
Could we add test? (can be done post 3.0)

[davidsh]

Could we add test? (can be done post 3.0)

I am thinking about how to write a test for this. It would build on the work done in these tests

corefx/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Authentication.cs

Lines 519 to 528 in 06d215d

	private static bool IsNtlmInstalled => Capability.IsNtlmInstalled();
	private static bool IsWindowsServerAvailable => !string.IsNullOrEmpty(Configuration.Http.WindowsServerHttpHost);
	private static bool IsDomainJoinedServerAvailable => !string.IsNullOrEmpty(Configuration.Http.DomainJoinedHttpHost);
	private static NetworkCredential DomainCredential = new NetworkCredential(
	Configuration.Security.ActiveDirectoryUserName,
	Configuration.Security.ActiveDirectoryUserPassword,
	Configuration.Security.ActiveDirectoryName);
	[ConditionalFact(nameof(IsDomainJoinedServerAvailable))]
	public async Task Credentials_DomainJoinedServerUsesKerberos_Success()

where they run only if running in a domain joined Windows ActiveDirectory environment. The trick is to have a proxy server that can report whether SPNEGO or NTLM tokens were used for authentication and then we can test against that. I have a proxy server I wrote that I'm working on to support that.

[wfurt]

I know this is tricky. But in this case all we need to do is to verify that correct mechanism was selected, right?

[davidsh]

I know this is tricky. But in this case all we need to do is to verify that correct mechanism was selected, right?

Thanks for the feedback. I was able to write a new test that builds on the existing set of tests we have that can run in a domain joined environment (when enabled via the required environment variables).

[davidsh]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 4 pipeline(s).