From da94384d100e07a48f141bcdda03ffed1f8e8cce Mon Sep 17 00:00:00 2001
From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
Date: Wed, 22 Mar 2023 08:51:32 -1000
Subject: [PATCH] Kerberos /8 (#28713)
* Kerberos /8
* Kerberos /8
* Kerberos /8
* Kerberos /8
---
.../security/authentication/windowsauth.md | 103 ++----------------
.../6.0samples/WebRPwinAuth/Program.cs | 27 ++---
2 files changed, 23 insertions(+), 107 deletions(-)
diff --git a/aspnetcore/security/authentication/windowsauth.md b/aspnetcore/security/authentication/windowsauth.md
index fc4b5d1169..0f50ac9d05 100644
--- a/aspnetcore/security/authentication/windowsauth.md
+++ b/aspnetcore/security/authentication/windowsauth.md
@@ -163,108 +163,23 @@ Anonymous requests are allowed. Use [ASP.NET Core Authorization](xref:security/a
The [Microsoft.AspNetCore.Authentication.Negotiate](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.Negotiate) component performs [User Mode](/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode) authentication. Service Principal Names (SPNs) must be added to the user account running the service, not the machine account. Execute `setspn -S HTTP/myservername.mydomain.com myuser` in an administrative command shell.
-
+On Kestrel, to see if NTLM or Kerberos is used, Base64 decode the the header and it shows either `NTLM` or `HTTP`. `HTTP` indicates Kerberos was used.
### Linux and macOS environment configuration
diff --git a/aspnetcore/security/authentication/windowsauth/6.0samples/WebRPwinAuth/Program.cs b/aspnetcore/security/authentication/windowsauth/6.0samples/WebRPwinAuth/Program.cs
index 89a2a7f2ac..dd10129633 100644
--- a/aspnetcore/security/authentication/windowsauth/6.0samples/WebRPwinAuth/Program.cs
+++ b/aspnetcore/security/authentication/windowsauth/6.0samples/WebRPwinAuth/Program.cs
@@ -1,7 +1,8 @@
-#define RBAC // DEFAULT RBAC LDAP HTS IMP
+#define DEFAULT // DEFAULT RBAC LDAP HTS IMP
#if NEVER
#elif DEFAULT
-#region snippet1
+//
+//
using Microsoft.AspNetCore.Authentication.Negotiate;
var builder = WebApplication.CreateBuilder(args);
@@ -16,7 +17,7 @@ builder.Services.AddAuthorization(options =>
builder.Services.AddRazorPages();
var app = builder.Build();
-
+//
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
@@ -34,9 +35,9 @@ app.UseAuthorization();
app.MapRazorPages();
app.Run();
-#endregion
+//
#elif RBAC
-#region snippet_rbac
+//
using Microsoft.AspNetCore.Authentication.Negotiate;
using System.Runtime.InteropServices;
@@ -50,7 +51,7 @@ builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
options.EnableLdap("contoso.com");
}
});
-#endregion
+//
builder.Services.AddRazorPages();
@@ -74,7 +75,7 @@ app.MapRazorPages();
app.Run();
#elif LDAP
-#region snippet_ldap
+//
using Microsoft.AspNetCore.Authentication.Negotiate;
using System.Runtime.InteropServices;
@@ -96,7 +97,7 @@ builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
});
builder.Services.AddRazorPages();
-#endregion
+//
var app = builder.Build();
@@ -118,7 +119,7 @@ app.MapRazorPages();
app.Run();
#elif HTS
-#region snippet_hts
+//
using Microsoft.AspNetCore.Server.HttpSys;
using System.Runtime.InteropServices;
@@ -136,7 +137,7 @@ if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
options.Authentication.AllowAnonymous = false;
});
}
-#endregion
+//
builder.Services.AddRazorPages();
@@ -193,7 +194,7 @@ app.UseAuthentication();
app.UseAuthorization();
app.MapRazorPages();
-#region snippet_imp
+//
app.Run(async (context) =>
{
try
@@ -220,6 +221,6 @@ app.Run(async (context) =>
}
});
-#endregion
+//
#pragma warning restore CA1416 // Validate platform compatibility
-#endif
\ No newline at end of file
+#endif