aspnetcore: Multiple 401 when using Windows authentication on HTTP.sys
Describe the bug
The 401 WWW-Negotiate challenge happens for each request.
To Reproduce
Steps to reproduce the behavior:
- Using this version of ASP.NET Core ‘2.2’
- Set up HTTP.Sys with
options.Authentication.Schemes = Microsoft.AspNetCore.Server.HttpSys.AuthenticationSchemes.Negotiate; - Run Fiddler to intercept requests
- Use a client to perform a GET
Expected behavior
The 401 WWW-Negotiate challenge happens only the first time.
Additional context
It looks like when using IIS it is possible to configure authPersistNonNTLM=true to achieve this. See [https://blogs.msdn.microsoft.com/dsnotes/2014/02/11/iis-how-to-reduce-multiple-authentication-or-multiple-401-while-using-kerberos-for-authentication/](this link)
Side note
Performing the 401 challenge means more requests, more traffic, less performance.
About this issue
- Original URL
- State: open
- Created 5 years ago
- Comments: 15 (9 by maintainers)
Commits related to this issue
- http.sys: Allow configuring HTTP_AUTH_EX_FLAGs as options The native HTTP.sys API offers two extended authentication flags: - `HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING` and - `HTTP_AUTH_E... — committed to evgenykotkov/aspnetcore by evgenykotkov 8 months ago
- http.sys: Allow configuring HTTP_AUTH_EX_FLAGs as options The native HTTP.sys API offers two extended authentication flags: - `HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING` and - `HTTP_AUTH_E... — committed to evgenykotkov/aspnetcore by evgenykotkov 8 months ago
No, UseDefaultCredentials means to use the current WindowsIdentity if challenged for 401 Negotiate/NTLM/Kerberos. It means you don’t have to give it the username and password manually.