Preauthentication for Negotiate #30195
Description
I'm wondering why the SocketsHttpHandler does not support preauthentication for the Negotiate protocol. I do not have deeper knowledge about the Kerberos implementation and therefore have no idea of how extensive it would be to support this feature.
I base my statement of it being unsupported on the comment in the AuthenticationHelper.cs:
...
// If preauth is enabled and this isn't proxy auth, try to get a basic credential from the
// preauth credentials cache, and if successful, set an auth header for it onto the request.
// Currently we only support preauth for Basic.
bool performedBasicPreauth = false;
if(preAuthenticate)
{ ...Information about our setup:
- The client application is running on Linux
- The client application is joined to the domain via a keytab-file
- The client application can succesfully authenticate
So, everything is working, but certain gateway policies prohibits us from calling consecutive unauthenticated calls, which is why the preauthentication is needed. It also seems to be an uneccesary use of network capacity and server resources to perform the challenge on every HTTP-call, but there might be something I'm missing.