HTTP2: SocketsHttpHandler doesn't downgrade to HTTP/1.1 during Windows authentication

[davidsh]

When SocketsHttpHandler connects to a server using HTTP/2, it is unable to downgrade to HTTP/1.1 when the server requests Windows authentication (Negotiate or NTLM). The net result is that 401 is returned to the client without even trying to reconnect (with HTTP/1.1) and send credentials.

// Repro will be posted later

[geoffkizer]

See also dotnet/corefx#31304

[karelz]

@wfurt can you please chat with @davidsh about design / ideas here?

[karelz]

Given we scoped HTTP/2 to gRPC scenarios, this can wait for post-3.0.

[davidsh]

Given we scoped HTTP/2 to gRPC scenarios, this can wait for post-3.0.

Waiting for post-3.0 is ok as long as we don't opt-in by default for HTTP/2.0.

[Tratcher]

I noticed this while doing some auth testing. IE, Chrome, and Edge all have this fallback behavior. Also, the downgrade isn't just for the auth handshake, all subsequent requests are made on the HTTP/1.1 connection so they share the cached auth context.

WinHttpHandler is a bit different. The first HTTP/2 request challenges, falls back to HTTP/1.1, authenticates, and completes successfully. However, the next request is still made over HTTP/2, the client attempts the fallback again, and then it re-authenticates on the already authenticated connection. That could be a major performance hole to fall into.

[halter73]

This came up again. This time from a SignalR client user. See dotnet/aspnetcore#45371. Prior to .NET 7, the SignalR client forced HTTP/1.1 but we started allowing HTTP/2 in .NET 7. We're considering backporting a fix for SignalR to force HTTP/1.1 if the customer sets HttpConnectionOptions.UseDefaultCredentials to true.

@karelz Even though we have a fix for SignalR, we can't help but think HttpClient should have avoided this for us. Do you think we could do something similar in .NET 8 at the SocketsHttpHandler level when UseDefaultCredentials is set? Of course, the handler could be smarter than SignalR and wait for a challenge before downgrading,

[karelz]

@wfurt @ManickaP @CarnaViire any thoughts on this? (marking for re-triage given new scenario being impacted)