Skip to content
This repository was archived by the owner on Jan 23, 2023. It is now read-only.

[release/2.1] Port Kerberos auth fixes to 2.1 branch#40109

Merged
danmoseley merged 1 commit intodotnet:release/2.1from
davidsh:kerb_fixes_21
Aug 8, 2019
Merged

[release/2.1] Port Kerberos auth fixes to 2.1 branch#40109
danmoseley merged 1 commit intodotnet:release/2.1from
davidsh:kerb_fixes_21

Conversation

@davidsh
Copy link
Contributor

@davidsh davidsh commented Aug 7, 2019

This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS
branch. These fixes help enterprise customers that have complex Kerberos
authentication scenarios that involve cross Windows (Active Directory)
and Linux (Kerberos) domains/realms.

These fixes are from PRs:

and are related to issue #36329.

Port Kerberos auth fixes to 2.1 branch
ba1d89d 
This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS
branch. These fixes help enterprise customers that have complex Kerberos
authentication scenarios that involve cross Windows (Active Directory)
and Linux (Kerberos) domains/realms.

These fixes are from PRs:

* dotnet#38465 - Use 'Host' header when calculating SPN for Kerberos auth
* dotnet#38377 - Use GSS_C_NT_HOSTBASED_SERVICE format for Linux Kerberos SPN

and are related to issue dotnet#36329.
@davidsh davidsh added tenet-compatibility Incompatibility with previous versions or .NET Framework os-linux Linux OS (any supported distro) area-System.Net.Http labels Aug 7, 2019
@davidsh davidsh added this to the 2.1.x milestone Aug 7, 2019
@davidsh davidsh self-assigned this Aug 7, 2019
@davidsh
Copy link
Contributor Author

davidsh commented Aug 7, 2019

Description

Customers that use Kerberos authentication with mixed Windows and Linux domains/realms are unable to use HttpClient or SqlClient. The requests are currently failing due to incorrect SPNs (Service Principal Name) being used during Negotiate/SPNEGO protocol.

Customer Impact

Without these fixes, important enterprise customers are unable to use HttpClient or SqlClient in these environments.

Regression?

Yes from .NET Core 2.0 (i.e. before SocketsHttpHandler was used).

Risk

Low. Fixes were manually tested in separate enterprise testing environment. A private build of these fixes was also tested in the customer's environment.

@davidsh davidsh changed the title Port Kerberos auth fixes to 2.1 branch [release/2.1] Port Kerberos auth fixes to 2.1 branch Aug 7, 2019
@davidsh davidsh requested a review from danmoseley August 7, 2019 18:46
@davidsh
Copy link
Contributor Author

davidsh commented Aug 7, 2019

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Aug 7, 2019

Azure Pipelines successfully started running 1 pipeline(s).

@davidsh davidsh added the Servicing-consider Issue for next servicing release review label Aug 7, 2019
@danmoseley
Copy link
Member

danmoseley commented Aug 8, 2019

approved offline

@danmoseley danmoseley merged commit 7bb81c6 into dotnet:release/2.1 Aug 8, 2019
@danmoseley
Copy link
Member

danmoseley commented Aug 8, 2019

Need mirroring into 2.2 before starting 2.2. build

@davidsh davidsh added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Aug 8, 2019
@davidsh davidsh deleted the kerb_fixes_21 branch August 8, 2019 16:19
@vivmishra vivmishra modified the milestones: 2.1.x, 2.1.13 Aug 8, 2019
wtgodbe pushed a commit that referenced this pull request Aug 8, 2019
@dotnet-maestro-bot @wtgodbe
[automated] Merge branch 'release/2.1' => 'release/2.2' (#40148)
825477c 
* Update BuildTools to rc1-04230-01

* Port Kerberos auth fixes to 2.1 branch (#40109)

This PR ports some important Kerberos auth fixes from the 3.0 to 2.1 LTS
branch. These fixes help enterprise customers that have complex Kerberos
authentication scenarios that involve cross Windows (Active Directory)
and Linux (Kerberos) domains/realms.

These fixes are from PRs:

* #38465 - Use 'Host' header when calculating SPN for Kerberos auth
* #38377 - Use GSS_C_NT_HOSTBASED_SERVICE format for Linux Kerberos SPN

and are related to issue #36329.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@danmoseley danmoseley Awaiting requested review from danmoseley

1 more reviewer

@stephentoub stephentoub stephentoub approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@davidsh davidsh

Labels

area-System.Net.Http os-linux Linux OS (any supported distro) Servicing-approved Approved for servicing release tenet-compatibility Incompatibility with previous versions or .NET Framework

Projects

None yet

Milestone

2.1.13

Development

Successfully merging this pull request may close these issues.

4 participants

@davidsh @danmoseley @stephentoub @vivmishra