runtime: HttpClient on .NET 7 fails on Kerberos authentication
Description
After an upgrade of our project from .NET 6 to .NET 7 the IDP endpoint is now returning invalidToken responses. I’ve created a console application with that only contains the code below and built it for .NET 6 and .NET 7. The latter version throws the error below.
OS: Windows Server 2019 .NET Version: 7 Application: WPF and Console App, same behavior.
I’ve added the code for a very basic application that replicates the behavior.
using System.Configuration;
Console.WriteLine("Beep boop bop... starting application");
HttpClientHandler handler = new()
{
UseDefaultCredentials = true,
PreAuthenticate = true,
};
handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) => {
return true;
};
HttpClient client = new(handler);
string url = ConfigurationManager.AppSettings["IdpUrl"];
Console.WriteLine($"Requesting: {url}");
HttpResponseMessage? response = await client.GetAsync(url);
Console.WriteLine($"Response status code: {response.StatusCode}");
Console.WriteLine($"Response: {response}");
Console.WriteLine("Beep boop bop... signing off");
Console.ReadLine();
The stacktrace:
System.Net.Http.HttpRequestException: Authentication validation failed with error - InvalidToken.
at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
Thanks in advance.
Reproduction Steps
Run the console application from the description and call a URL that uses windows authentication to return a JWT token.
Expected behavior
The endpoint receives the client credentials and authenticates successfully and returns a JWT token.
Actual behavior
We receive the error message System.Net.Http.HttpRequestException: Authentication validation failed with error - InvalidToken.
Regression?
No response
Known Workarounds
No response
Configuration
No response
Other information
No response
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 30 (17 by maintainers)
I will try the proposed steps today. Today I’ve installed the application on a Windows 10 Enterprise PC and the problem still persists. My hope was that it was indeed a server to server issue.
This has slightly different error mode than #80781. It looks like it fails on the MIC verification [which was not present on .NET 6].