-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPNEGO logon fails from linux client against windows server #26293
Comments
@karelz and @davidsh Would you please describe/state whether .NET Core 2.1 supports Kerberos Authentication from a Linux Client against a service? IMO, there are lots of confusing statements/issues around Kerberos Authentication on Linux and macOS and no clear statement as to what works and what does not work. Please clarify. For example how does ".NET Data Provider for SQL Server" support Kerberos authentication on Linux. Does it revert back to P-Invoke calls; if yes why? We are trying to create a roadmap for our product and hope to make it work on all platforms. I think Kerberos Authentication is fundamental and it has been tested on Linux (e.g. Red-Hat) already. I hope we are missing something fundamental (e.g. how to populate the cache with a Kerberos TGT for). Thanks in advance for clarification and help with Kerberos authentication on Linux and eventually macOS. |
@CalArabshahi it is a good question, but does not seem to be directly related to this issue. Let's not hijack it. Please file a new issue for discussion. @wfurt is the right expert. |
@karelz I will open a new issue. I work with @Aarthiumayaval. I hoped that you can provide guidance about this issue and whether it is really a bug without any workaround (i.e. Kerberos Authentication on Linux does not work). I think you have affirmed that .NET Core 2.1 supports Kerberos authentication on Linux but now we have to figure out how; and try to understand what is the bug in this specific case. |
@CalArabshahi @Aarthiumayaval that is valuable information you are on the same team. The original post is about Kerberos has likely rough edges. We tested it only on Anyway, I think it would be best to close this issue and continue the discussion in dotnet/corefx#30203. Is that ok? |
@karelz dotnet/corefx#30203 is a question but this issue is a bug. I rather keep this issue open and close dotnet/corefx#30203. As you know there are tests for NegotiateStream ( #22855 ) but maybe they are not comprehensive; Anyway hence our confusion whether the NegotiateStream failures are specific one Linux distro or whether NegotiateStream does not work on Linux in general. |
yes we are willing to help; but we have no idea where to start to debug "A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: GSSAPI operation failed with error - An invalid status code was supplied (Message stream modified)". I still think the issue is related to Kerberos ticket (i.e. CredentialCache.DefaultNetworkCredentials) that I eluded to in my earlier comment ("how to populate the cache with a Kerberos TGT"). Currently I am looking at SafeGssCredHandle.Create . |
That's great. I would start by just debugging the failed call and step into CoreFX sources. First, try it out on 2.1 of course. Closing to avoid duplicate discussions - let's use dotnet/corefx#30203 as main issue (we can flip it to bug once it is clear it is a bug and not just misconfiguration). |
Attaching client and server application compiled in netcoreapp2.0 . Authentication is successful from windows client and failed from linux client. The server is windows . In the client code I used impersonation level as System.Security.Principal.TokenImpersonationLevel.Identification for linux as this is only supported. From windows I used System.Security.Principal.TokenImpersonationLevel.Impersponation
From linux client , I see the below error
[root@sdl17146 publish]# dotnet krbclient.dll
From windows client:
C:\Users\rl151007.ESROOTDOM\aarthi>krbclient.exe
Client waiting for authentication...
IsAuthenticated: True
IsMutuallyAuthenticated: False
IsEncrypted: True
IsSigned: True
IsServer: False
Sent 22 bytes.
Client closed.
krbclient.cs
krbserver.cs
[EDIT] Fixing code and exception formatting by @karelz
The text was updated successfully, but these errors were encountered: