From da94384d100e07a48f141bcdda03ffed1f8e8cce Mon Sep 17 00:00:00 2001 From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Date: Wed, 22 Mar 2023 08:51:32 -1000 Subject: [PATCH] Kerberos /8 (#28713) * Kerberos /8 * Kerberos /8 * Kerberos /8 * Kerberos /8 --- .../security/authentication/windowsauth.md | 103 ++---------------- .../6.0samples/WebRPwinAuth/Program.cs | 27 ++--- 2 files changed, 23 insertions(+), 107 deletions(-) diff --git a/aspnetcore/security/authentication/windowsauth.md b/aspnetcore/security/authentication/windowsauth.md index fc4b5d1169..0f50ac9d05 100644 --- a/aspnetcore/security/authentication/windowsauth.md +++ b/aspnetcore/security/authentication/windowsauth.md @@ -163,108 +163,23 @@ Anonymous requests are allowed. Use [ASP.NET Core Authorization](xref:security/a The [Microsoft.AspNetCore.Authentication.Negotiate](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.Negotiate) component performs [User Mode](/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode) authentication. Service Principal Names (SPNs) must be added to the user account running the service, not the machine account. Execute `setspn -S HTTP/myservername.mydomain.com myuser` in an administrative command shell. - +On Kestrel, to see if NTLM or Kerberos is used, Base64 decode the the header and it shows either `NTLM` or `HTTP`. `HTTP` indicates Kerberos was used. ### Linux and macOS environment configuration diff --git a/aspnetcore/security/authentication/windowsauth/6.0samples/WebRPwinAuth/Program.cs b/aspnetcore/security/authentication/windowsauth/6.0samples/WebRPwinAuth/Program.cs index 89a2a7f2ac..dd10129633 100644 --- a/aspnetcore/security/authentication/windowsauth/6.0samples/WebRPwinAuth/Program.cs +++ b/aspnetcore/security/authentication/windowsauth/6.0samples/WebRPwinAuth/Program.cs @@ -1,7 +1,8 @@ -#define RBAC // DEFAULT RBAC LDAP HTS IMP +#define DEFAULT // DEFAULT RBAC LDAP HTS IMP #if NEVER #elif DEFAULT -#region snippet1 +// +// using Microsoft.AspNetCore.Authentication.Negotiate; var builder = WebApplication.CreateBuilder(args); @@ -16,7 +17,7 @@ builder.Services.AddAuthorization(options => builder.Services.AddRazorPages(); var app = builder.Build(); - +// if (!app.Environment.IsDevelopment()) { app.UseExceptionHandler("/Error"); @@ -34,9 +35,9 @@ app.UseAuthorization(); app.MapRazorPages(); app.Run(); -#endregion +// #elif RBAC -#region snippet_rbac +// using Microsoft.AspNetCore.Authentication.Negotiate; using System.Runtime.InteropServices; @@ -50,7 +51,7 @@ builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) options.EnableLdap("contoso.com"); } }); -#endregion +// builder.Services.AddRazorPages(); @@ -74,7 +75,7 @@ app.MapRazorPages(); app.Run(); #elif LDAP -#region snippet_ldap +// using Microsoft.AspNetCore.Authentication.Negotiate; using System.Runtime.InteropServices; @@ -96,7 +97,7 @@ builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) }); builder.Services.AddRazorPages(); -#endregion +// var app = builder.Build(); @@ -118,7 +119,7 @@ app.MapRazorPages(); app.Run(); #elif HTS -#region snippet_hts +// using Microsoft.AspNetCore.Server.HttpSys; using System.Runtime.InteropServices; @@ -136,7 +137,7 @@ if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) options.Authentication.AllowAnonymous = false; }); } -#endregion +// builder.Services.AddRazorPages(); @@ -193,7 +194,7 @@ app.UseAuthentication(); app.UseAuthorization(); app.MapRazorPages(); -#region snippet_imp +// app.Run(async (context) => { try @@ -220,6 +221,6 @@ app.Run(async (context) => } }); -#endregion +// #pragma warning restore CA1416 // Validate platform compatibility -#endif \ No newline at end of file +#endif