Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gtting 401 error with client generated Kerbeors token added to .net 7 httpclient #361

Open
RussKahler1970 opened this issue Dec 1, 2023 · 31 comments
Open

Gtting 401 error with client generated Kerbeors token added to .net 7 httpclient #361

RussKahler1970 opened this issue Dec 1, 2023 · 31 comments
Labels
bug

Comments

@RussKahler1970
Copy link

Describe the bug
cannot get token to authenticate

To Reproduce
.net 7 app Using httpclient with UserDeaultCredentials set to falue

            var client = ClientFactory.CreateClient("SuperAssociate");
            HttpContent inputContent = new StringContent(GetEvent(), System.Text.Encoding.UTF8, "application/json");

            DnsQuery.RegisterImplementation(new PlatformIndependentDnsClient());

            var kClient = new KerberosClient();
            var kerbCred = new KerberosPasswordCredential("XXXXXX", "YYYYYYY", "salelytics.local");

            await kClient.Authenticate(kerbCred);

            var ticket = await kClient.GetServiceTicket("host/webtest01.salelytics.local");
                            
            var apiHost = "http://webtest01.salelytics.local/";
            Guard.Against.NullOrEmpty(apiHost);

            client.BaseAddress = new Uri(apiHost);
            var apiSite = "SuperAssociateRuss/api/IncomingEvent/";
            
             client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Negotiate", Convert.ToBase64String(ticket.EncodeGssApi().ToArray())); 


            var apiResponse = await client.PostAsync(apiSite, inputContent);

Expected behavior
The Authorization Header should validate as my user

The token I get from Kerbeoros.Net is different from the one my chrome browser is sending. should it be the same?
@SteveSyfuhs
Copy link
Collaborator

SteveSyfuhs commented Dec 1, 2023 via email

@RussKahler1970
Copy link
Author

I changed the site to only allow Kerberos so Chrome is only using Kerberos.

Here are the two tokens:
Token from Chrome
Authorization: Negotiate YIIUQQYGKwYBBQUCoIIUNTCCFDGgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCE/sEghP3YIIT8wYJKoZIhvcSAQICAQBughPiMIIT3qADAgEFoQMCAQ6iBwMFACAAAACjghH5YYIR9TCCEfGgAwIBBaESGxBTQUxFTFlUSUNTLkxPQ0FMoi0wK6ADAgECoSQwIhsESFRUUBsad2VidGVzdDAxLnNhbGVseXRpY3MubG9jYWyjghGlMIIRoaADAgESoQMCARGighGTBIIRjyYwIqEXUoJQuTvoEgCVp2WFksx62jEFSddhaqOTpITPgk/P87J6R6a5WMFjWMFV4OHoeEDE/00VJXNOulg3ELpc/6Zg698MvXMfsaPHWoH90EFCnb7nKvvjB9C+mpy3CM+4ndzxDl+7Y426W2sj3BnKv0csESdb+3e7+T670qeXo1jpEM9svCvjPKDFYFBckNmUFQatAHKYDJrvhL9y/42mUUIpPGcn5dsBebUj2xvO26ibNelNFlBcfsNlPXp2/Pr6XDU+EgdHB+o1aGa0adLnOOTFMNTl+tSNlVYIlRv5pg/po6ZQpitAW05WcPrgEB6ij/IBi584Ws2DEfzayuUkCc+iUBsYMrunLDg2ZPAXI0eoyFRjP7/Gh3Q2N+sqkE7eprAo8bA3xdyF4r568ZTFXf3AHnC3QKJPaX79PiYJvgHYO2sADfxJTSnyUEWWiIBUmcKgkjCZFWLjVUkHE580R5vOEQ6o0Ormk2E6paXxlZUjWfTjKa4Rr92fFcX24vgmfLawb5uoTG41ikizr5ONB1ix+reQe/UKlYrGuVRLNn4LsdOrhvawIf0XL5WXdzauvGVZaKRwz1wH5u/lShSrxzwOCiEPuqZDmxxwEl+ic7trZiQ5Y1Y5oqvt4ktaY92BWBs8U8mWndVKBN+/VMJsGRwfOpLyDp1j9vKmyZ34Zqm9SB4uIl3ngriFyeky7UvVTJjVdvrGvjA9pvqCgmTrYDdwfL0ehMcWmNuaMYZcRYKqps+jhM/X8UXp46FIY7bbPTaHjm89RIPPYTBzUR4vDLsFQsg+eax/g0TwvCpvj8lv0tZPkLZNKnz7cRhARdstMK04RQNs26YxEI45b8N+j/UyYezKKso+7E7OHHncxXh6p8hi588C5zGiqaPMFW+MAkraNsBZRvv7si/dwG5inS+tZkIs2o5rTtUfMLvcj219U5dsw5qTXnHTfeSun7z9XNF25qbZkU64lF8dCy8c+MbjqafGYGkZ16ndicPQ9iycmED0Zfs6DAFX2ZW5NPGjmXKOdhdpOQETa0K2ievKfuhoVs2N/LjDnrRnsVX48fEYt6aMXu1XG5dr6w4VU+qy7+B1qqxHmdfK1TR/UEd9gWbDpL1H7wQJDyfpmgS7ViRJIdnhRqCspNMeUzCZgUTN6T5EsNkW84nI060Q6Inq6h8Z61jYAq+7Mj4/KcmNL74K3XTQJdWhHfp9ozWTnuvEEyt7HnO0Y4Pv20QDnAEV3jqVTMXm2hDymawr2E++4aO9YLDBK4DqaxEeZ+wlK5qSfMvcDCgRtoWNYOlMvlcXcGUxust3ozfKIy4dhCK2MPjEKHhiUBaJTmzDVeb+7UIbN/72f3zb47msAZd4IUUfuyQmDp5xHuLGrhlOGVzDDeO5IMyLDxugae4kkVK36o7Wt2jTj5S1act+dWZHHLwuNdbIpMTchtfrAgf85PzQan8JomzkzHTjYk8b+wKM2aggdIL2xPebzJZpJ7rV39H10voubP2Z1t5gJl1HecX50b7oEWUMzqWFpXWkhrSAJh+YDRtLXA2/Y6ZyGkyU8TaYJUH45ETBiONtfjy6xfresS3eVHaNM26c9zO3X+kuCtwTctVmwUGYxxLZ8AsRRKFseivsfsBKl4F/gb18JfD4EkeXoBircWw5JUoo6gULem9jdbq6jWTBz4luTdLk4nrhDnxQV1Vhy22a6+8jYJt+XK+spdlPIdD9KWfZYvoQGL7VHoHlQJIFA5qmkYAAIfMbXciG7Ungishz3pPlMJR1V6fEy/ZDPx4Mmvk9TJCO8taO3zZLESQg++BkiVcUhWsHuHhgGnLE+R3HrmoOV//PnZ9/wo3TQ3fh/1VFpgWXq0fV1IGiHEOWyMObKpix7121C7lErNtkKgJ2Yp88bbQrQmmuTme0Pf8VsHIh34N0F8VxuaN4f5VWlZED7AHoM5iI2dM7ffPNEXyl/ta2nb16SHFpZR+2sli22GSVZAlbjXXlrBECbuaX/h4hmVYaXYF+G7Z74pf1VUecRt9DwQvpYP0YI+s3OQtXYR/1PI2y5EDEl23hVGqX5aGHM1fDuVFjmQbVLLRbzPlVQNnkfe2H/kkCPBFp+gNHCxk6nxGLnkOAgKW3RFh61RXB/krEnaZhpl5i27FfL5UwZErPTgdSUelMlveo9gcAeZMZZheMfS+XkjoHIwNPIsmxYq2EsN5PintQ+CVIWEkyG4zorwZzHrqwlva4Upq9h1hr9YaZhTekLVUED2mZ47bvYmPVrLv3G30+47BnaGUgR8PuxWXTDpcjoC9TVrRaE4XwGjEmJwZKgTgLApNgycssXSvR16G7kcrODtf+1t/8I+UeONF/Hgl9cdBKOO/o7+fOHyXYW8tXn06fLW4qEk1UGd7Se5G2eHAuGQ1JaVnFtC2t9pPvqpetqCsU9xMpyvqV1DUzOxD7sd+e/DAXGVxPPXxDWXpBsHlrYJ5up50UjF+jxVKoUg+XRf7zxlQYjCLL+Ek5v4Rygz9uhb3R72KJ+99GQtNLEOBqHqPn2NENv7r+mM/9xAhTKfkywiGswlZHV9SHV9Mt+NhCnPqtETP/3regBQABUuIq8iJHTOvzeQhh7iW2lL4BkTG1Qx3sZBvurRKqR5npf8G+RDxmFomJoZXgbOWeFMRoZs7KN7juwZXsEB37ibarRU8+s4xB3nXKncfriE3rV2/6H+jJO+kiD8vC2/7sJWO+ef4KOYyjQDX3lFRoSIRYSrfcTBwVeIeAEiqeB5wQum9VvY+G3AV/wBv5YC9qX+bhzwl8GLbIXQH/lvY5g0jIh10dD6q16/xLMJLtIy8GhJgcF3hOmQFXX1Q54QO0dypcQNnZ7NbzK2ATHvCMzKKCPouuzLEPfWKBJaWRXRqdqkTFlOFWQu0HjPAAe8vpziISSBELicdHH8zVCuxo0DHWn6I0+AU11AadyYx/1JOcaMV5+xol5OchlP6MX74b0YpgufmQOZsjKFP3wg+PW2zjf+MM4TN8QXDahXUbXmV2VrOLlWck6iG1pKh0hJ12mkmUshG0qMeTFQ+/Om+kolBdHTmrF4GWXRcIiObBEGAziUjp9HpyPJiH//j16xFsLcb7KzddJStwthTfwvXduviPuTQxRNQVO8arnurpibFoLObqlxrTv6p059o8ong8HnYMv90vgDEVNLb4dSCDVXrbtkPFdvwP3WSLiohL7KswoDqJ1MLyJ1HSr5MWWMAJKbwko59jI68rEzfK47ZogyDjTqb8VZsT+bEMKZhO4lZcxU8v/hQvBTIqMm1bJS0Yjp681As9q5eGucCQvcbEwTswFrkJUxc/765/+fga7ljxcu9FaMUbT/OTeOnNIdmlqpAkOHNLnAgmAKfi1HR5keDV+NxQB2Bqe8tV/PmRO5Lww6PoU5EJmNqgkx65TiSJpTFpnyIEfEpoYE9Ynhul+ZYKIKlmkkr5iMT7IO3VhF4nPOO1RmKVqha1z+vYcTwsv9Owu819/Fty22INeX8BsSJTYAkEyhNWQ0XPYz9Wwuz6dROCcD0HQx7hUHfUZRbAkWPh6ZvT4zL4CNbgD31ZaLKyrksSgz0Pd0d7VPA8pEAHgl0xUmNtu6hbXabHEE7i3wA6Dw7F8I/i0KPtiLhnAJ7hf6cy7mYUwNyMgfsle9uHfQHj8K9qKMMSJU6uN1/SNySzrjF4Fo9dQfps4PdnkgRJ4G7t2qzg/+xJ+NlCYF4/y84DJyuHfLiNXHyaYyH1u2R3WMkf12X1EbSqrPXr1T0uXK4aRmi2FootA3ZTY0tOTa1qLPPlgqdoWjs1yfdYEurjvper0JUs6oav+u/nIl6EIfv9bhRY74oWMyciznJfi4vdYyKWv6mhMnqJqyusc+qWlnMBi6qqLQ9vrmGzZLF5cb1qbuttVIQU20ROLgr7oTDqZfCaXmB/r3ytw3lEnDGjyz2BXwjh16s4TiYsX6MmyXlxMT1Nr/eu39mzaF56uM3/9ItEW3pz2Glba4uZNDAUOuEu6PngrHJYacaLQy3VwB7y4izpumw8/+vttXhRmyzCCoftVC0nIbNMIvSFuodgsSiAoIDv9aWU/Kf4NbPJuJEfWTTwGPg9t97GX4GgOrTV6lKiO7104jSmzcKngcjODMKlPmrplP/H2GPFzAFD5C1x+QWTzDiRVRs8FVvBcN3RVz4kXumwx202rWLil69oDSEoW3R258lRnwCI94SfshMih1R5I1dpYGvNYZH9C39Ib6WryMxblhIEwTCnfNVYCGmc/JxoRELnHHUnNKODwQQykovDHdvH7sOpTaHTRIH97G3dJoXTu6Mc5k+PrROlLXvCFrDnFeNi/XR2KzSnYYSe94EOFr7WvpVJSw5ytADCn1HDnV0QJtU8PbFl3Q3WaZdnUmfNI2DWdZcWgxdsprYznV9fGTpM5VjZlXCRgI61ryPMTzCe84euPO8Vp1Sich/DKJKLcYV5o1fbtUp2jtqM3JLKyZ7zxlPLQKgrHZeGf6t0KbbQ7IzHgKtagAdJLyOUFlFa9u4TDI/v854N1MGEuLS5lTnpNVzGjAlMx7p3W7S93jMJQOtTcAoxmi8KpVeAWqHkGB9UqojO4SCFF8P9xqF/h4Fb3ieDfVAWCc3JOB1mJq5G8lwFTTXdMM1pkT5/vm8rfBaYVCXGOZGEoG4TJLsF8op6X2sZPceFkULW4mmlrME1hgnQtayyV5l+e9Zo3oQhrLhiYPBW/WcW3KMwXTlOhACUdJQDbmE9rbvXBTgtZKchagtJeWRJwlNmLvUV/JRomehoiXKlCf6TkCuI5OV6NIId1jOeMxPLWekt7cN3r3o67QJ61j2AWhGaGE3dmnEgTweps+InCQyIMmplqDCyFWy6GxH0rv2WssbGany2Ubexh4YJIkyAjOFEsdMJUDXxmD/dBY1fcA/VfFCyystCLEL5d6gYHiATjo7T4rmU/XZZRGr5gKiqMApAukot2D9As8UG55L5vdceYO5iLrjrGHTBKJKkvWjvTh14xwdw1qwqWLthL2ALy9k1oU5hL4OMX8pIZ9CwJr7tHQr2Ju2uuhNEDhC802jSKYs26SlaEuY4IyNHh+JAhoG0HthgynnBGWzEA5Mqc4M+hPJg6dko8Efd4BzP9ButbOAEt/zdXCGOtVHzBpOaN9+jIC+TiSW3xb8DOvs+aHLu7vXqwtQ6QIUkHo04WDmMU+v07emdPMD36UHtrnZK0+ISe4dmjZ1tPt55Jc7lhPE1XEDhHTP2fMn3zMNCXxfbvZHSLcDytTWWunJgSmcYIuMq9+UwISx4fAdKYOPsfHdsM6iQVpWGhqeZx14+qeZoTLRQlFBHjXnukS2jNYfYuZZcuUSb0H1cWZ/IHgvFlaOfwWmZ98OCOgDqpsG6ovMyc7ITdsRsVTg5ju5qn1U4NQN2N2jVROyX57Qilnx5nEEpDs/C8ACYhGsLLG8+5IyoRMMYZcSQjx61wJ/svOEMRbBzyAgFan2i+W2HpG/uAToknp1uAaPy+lydbaW0EtYFRcGvjmm2VKqLBjnEx7lE3W1IeQDDsa3703UGdVXeAC/YpRyajWkFX4DkFicVUfX5VeHnfHwUtF3lTZ5KvLapZO6aw6ZnK63H3TvG0QJgLilG/4EfjTGMTGzXt7HrzK1Rp8hWdYLq/OPCWvmeeTBpO8Guvv2LzSLWv8UYWu1XwyyQwdlAJ8MWN+ucBlFDPJzSrsfhfrw9MRV9IwYEn7AJSTh+N/mZ0cHA6oaAs3BfK2iMAN6YdwlUEaurN4e80fDRVxAAkyu4jKiR0xLg7h6JNQYVobwqg4iFrnOTN8ElAe5hN9NMEfQQsLu3HqKV3vjy552Yh8O3ILVzkEhLAjfulbfiDHKCYMomZBiJGO72B6mGbvJjKkTNZlR9IUre+x3UhP6OzQHBOHbTuL9uv85f00232CCaJy0MUCbGtNL0MWEdSPZnlIS6dPY/RX3dUZzTVzfpX68gM2MUZyKJM0BM3D9cbZtfzjmaS+FwQp6kggHKMIIBxqADAgESooIBvQSCAbn1RpYhHIhM2CT8wa2N1ra0eOnRstc6IhFMVcVzdR5FC1vRmxaCDu6zJe3ZcWSsMsGYtxxl1bY7auocRDrfUQSUO4ELRWbWUNe/IVG6N6Tz1sjluCg3G96h8C2H+6WeKyZUKulH/kTtUiS5owODqLw/a779tJ6GQAqC+6D/MIaWyD/Tx7dA3RppyXZl/8WGX+nUzxBTm9zBJI+7MM8xOA2noVFpKo+bNAuyxsoiDYMJ2FaIJDEey1mZHW81tuQUq8zP6dvDag54hwTXZ2aRZY8/iYTN3pO5h4fEJNUAXieQJKTHcM5yb3GfSZiaUynq1SawhJDur+Q7SVIbQoO1GPMaXOAHFn+7hTdn+7Nxa8n3SfSMX0PQBI9pgNEoHM2T2fkfpk+KQ1YaKSLgkKEiIDB3VKHTVow+NKlPZ96pbBPDsTRfP4w9rHqfbn5VdIWp1BjyBhxBXfvfVQ1HB1tvDEIVJ0DKzwbHallNSSYMlBa83UQRVUvei/bioBTAHVhsb0kolBpSpEBkypuBHErj+5d8bW9OOvv4WBEOIv+BtWuh4ifzEQxy4C2X4BNyNKtbP87tqZZkNDYrpVM=

Token from Kerberos.net
Authorization: Negotiate YIISYAYGKwYBBQUCoIISVDCCElCgCTAHBgUrBgEFAqKCEkEEghI9YIISOQYFKwYBBQIBAG6CEiwwghIooAMCAQWhAwIBDqIHAwUAAAAAAKOCEWdhghFjMIIRX6ADAgEFoRIbEFNBTEVMWVRJQ1MuTE9DQUyiLTAroAMCAQKhJDAiGwRob3N0Gxp3ZWJ0ZXN0MDEuc2FsZWx5dGljcy5sb2NhbKOCERMwghEPoAMCARKhAwIBEaKCEQEEghD980w1L1c1BJvjZgmpkrTSr2AbBaUMu+4XzkruPjBGWLXG1rUZ6moMYdEtKZxGNaPaolYZ/sSlcZl+UF4SYVSyzziI00YmxAYwoiWipXRyYe7ySuw5Bo/qJm/Gd3gTCsF+Z+P8E1oKbpdoXLodBYl1B5t0PESb/YxvuLcKJwjL2NxDK5TdVIg6N54UtnuA68TpjZg4ZM0xkcHnvS8DcZykAmbenjGJ+PJ2dB1vTY0TgN+6e6ibJKGDeR5C2hkXUdKyP0vW2HZ62Gc13npyy5y8z/22dgHsP8qIDdFQz5HJJVTrsT3+e4/859jPsVaE/OSo6vznUZCkgz9mG9UqACdl+0ctSjoEEBlX8bdihF58hCnZNPQKzGp2jvTCo8NWgpQ7/3LXib3yvDyPkTDg/jR8tyxgJFdH3WyYBbxId7oaej+AdKMUgMijMkQ8ljw9S1PE24JrmtgFV7+8mPppxGuQs5FEm0PnmPWPG4QLP6hBeAD5qnjzpGpgNKwBD5b3HmANiULyxfO15UklzCEW3ZAe97hzze9RGRuMFeEmVj5b++gTzA+8C6UA/0D02IhiRBX6TwfAZTr9oA7U5D4G030Gv3iZ1Kin65jDOhMByU1jm0WfBCUhVkGBvO01qSTHfbHOES68xWXGL8lKjwBvlpi4B1WkKLE7N2wbYMgWaZ+bJEA6ThXv4Aa3TZBkQtWyAeDpyXqq2Ts1gCfBaH9J9eHONDTq429EQJ0Yq5ieifewIyY9KIdH+5tKIwgdSlKRP1gD95hW5BTLyuMZrmghUn5ZsxiOYFrNc4aS194kknz90GwL83mSwFyVAsWrmgs50IK4O2vFjBevNmPh2Mlr2DjFpzF1xygzbkoCpVBknSHLfU5SPspgUhxjzbTVUQ0++Dn/TEWfXXiFGD8ZoUPUJ4pgss92Xp4qd0SU3Gv4hpdmySNN69d1esLmHXnbX/stb3wjArlRjIvCf350dZ+LSdEbfSOijwZH+9ExYFAt+aBf/yesEXqHeR/zQfC0i+6hHAfHgCGKJeFATIdomb4YYiWY2EmwSx/n0iSbLQB4UFlZ3PMFmG8raNa2y8IIl/W1Nh6NX/ebTgVMx2O0YuptBBfX8emYfyM0VflOxe2KB/vuTFa8jbKrPu0tZKMVh7pKe46mAYq57LM2roWTE9u4gUU2SJg2foeLYAB5HfYWnenpp5wjhkyRtbuHozGX9lS5fm0C+a8zVOevbbvyDZcuT2xbFGSvJtjZ4plquH2AyhSMxa0T4at4BNFFNjtbvOPHoCf4ZChoB9ba7uIKSaoyJyn19pz1wxkXUrKwt+Co/xN6ZefiQz2TSgU+StlKdRqs2tRqqX6GFB6Y4eoHtjN8fuQvCkyY9DUyiJePgU+JmodnjYxi1yvBmScTrpYkVTxO89OPOMpu4EamXkOUYsqGNo3BvPvC7zJkk2lhWJTrUVBiixp/vHzp9Us1eQVq2Y7bu66a97h/YeU1ZqR/4Nz1Vx348FlrvprFbpki6KZISSK8rVtWHzpTQTvQjJW281en/PP3I3b7kuMR27F+jotadJ8fMHgUFCz6rx/u2m7WPdLkm2ZecU4MUVFtetf06qB7VwkQlysz2rBXZs3w+wBFnaIBQDz2JOUGXYaKoK9jDREdY/MMBdEf0yxJ/hnmFru8JX+e2g+73jfifkNrDGVQ5Pbqamxl0gx8w4HfFqMMNurEIy/gRS2thFTg5iLBbkHRKBiaDZ7wvr0cMS46trrXRFjQql92Wv5cH+o4xsuQaguu9aWs3Lkur3XyNqiyCi22MMJSibmIrhFzK3OrqPwSeqPmdmWmk+hh41B+jaeFVlViHwmeYuR0zpvPQM5nZR7gD8DwcbBvSiILshZiPKvxKL93WgizgDyppgYGHcKuNpLjbkzmQG7g5MSUNlfgNq8lhueH5z0TUZXWarKe8OeqHxPZCehA4xY4DpSRjIz4yz0Yjr3hH5drHgMNYK5NIvdDZQWj6d8uQFd5T5noJgC1VB29wrvUcSwNlEWItiL/opC+eICFWnIeZVHUOoidF2764qBv77tvr1KXddGnUatr4hpPvyARSH7WifTAylh13G71zjZMvGRAZa9zd8RXLj6j9Qzth+y1wpxebKvqzAKLFfHYWpt19s1TxS34emMOxu/7S9H+yERtfkA0BZNxabQgqnj71cqJ0V5Ztqm3mhTAlSm48pe6yXaqhEzu5zvkVuyfRmkDeHQUVbdr7BszzVM7PxJOOzcq92hFmK0IUWcLjh9+CwkUsoOAzIA2iA+q/RvkVswuR66wp8VGEPOMw+ZakGOLbdAb5bbPjI9ZT038PY3MFXdHgvO1839yXiuyUwQRpvb2BTI6y1ENaTW/3AsZ17qlkcAEwnqi1mV8fj+OdfQKNn2HP8wxs3gA0hLRFDukTvJptzkyWvBXFuU0H5DhxBrylrNmF8qYsFuh5f4POVRTrwPQD9H52c3RVyKlZTitLYZq0nY4q7X0Rs4FyUxEWmo62fouYVoKcS2mryNG6rJ4UUqDlsBmhHvohnajMKQsYP1gr3J6WywULXi7nA1FJcGsQUJMr+ENDhV1uO29Qq89RIntneNIpMIz9yIMSkarv7LaM91xxxazUFYsS1aaLRXTE+matRXn5V2cRbAv13igTHXlEZpDOU1NHJJRLLcv7+kRcFf4tRIKSKGd+d8ubnyOi8ikfA24MXoJ8LQVL/4fXta+G9AaxNfpNNXoNLVt/OggoMnYufm2zT480dVpN+YmZwX4fJVgywklk/xsnwMK2njEJigjCuZIewVLJjoe9cXVGW3SoSR2CbhCyWXxMTSnYl+Oxo19Pkam/uxAFjmyvsZtkFcXSrsx04u2+MuJjNvczVpXKDcIZiHrAfOWxA1i/MOAnekBJnEuf7hf4ys2OCIFAQ4MiyzL3GYMm5hTGVUyaas6K27BGH/PLIb9PbjzDi+YCei+qq7W2exo0UnN1oQmQGqhhQsxxvO6y4knGXdijl3VAXtHbVJ0JQ1nqVGq/hAtIGILQd3yN/IlrQ5ipEPRJD+QQV5coCYrNbvg7CtqESkIh6ZfkyWLbsq56K46jmev6z9DdpbKE5g6Sh+ROn7OEVawO0pTrJMkGmsSxM1ZUkTPTgcpYODG1c3nB5XWogcpfds1LkCgp8igg1FyBBPt7WOBwaW6GEJvAo4iC8oRukqAFqe16sFDvnKT5sPpnMBWx1as+4MgK9T/JOzK8Quv9dDr0SGc7pjymVRVU3P/JkCKXqftkjqK97TOaHzQPSuqJvBwrPMDOLlSEyDcXGP3riCh1edf6z3WkNaYyH6+M2UCu9SfE3l0/QMGA2P0/Indw0rL1xbR3Z0XlO20nuy0HebV1wt8747Kkqe9kGL4gOUIaVbbHgivkqngA7NLFm4XPhph2axsoMATOWF7ENmSbYcFFYkSWyqEowOrkFLu4GBzN7Bw3R7MOHhvgF21Ddv+EIiq8fn+m5AydJCI9185gxRyL21X6NMUPlqJi00fby9bypQeWZGfXcYntzhJf7DmoyrkNAaZn+s627vklXmS6ME1bGvAK3h71d2i7i03TRxQPt2Axg6oJ9lBNZMtaXOH7zvAqjcdxSc5R3Sy1mkMQKaglrcN7QdTn9vWZ6u31efedSpYVPLhmWnMNl+NhhofgZzrmGQWwofjWLt3snjEuW60e/wTlZahdRMEX3/vEAcsX3gu2tICT6NzpDmwHL2T/snCa8oZspdPc6pOplbgRdZHr1kKbWznnZGMjGdoxM1b7MRwmGXvuPP5uV3x9zsyJqnWB7o5C7jKFKxLRx9rFk1j9myKSeWSXT2bWqX1CQUhbCuPLGNsS4DUw3GOHvH3SkJrDZi++6dUoUZV0AqskUJDudADpJWikN64Mb0wbQf6F90p5smOZ7l1pP1lPb60CFfjVSCbszBL37uh6A+sCzG/+3bClmQKL8CS9J/vl9sprODoJ6CzfOAVIVm4Aoy1QBChjQk12EUUaw8nEUKH4iSlC1l+Cc3YiJJxaURr0BzdSYvQzVFJJM/vdstP32uxrYMDpQFtwkuZxjceSHSJ1I0rNdStr7coZGxdMXINddMPLDC1v/OHaq8ocS3Hrcyk8kKMRoEeATFQasU7lT1hiI+UlueyBereZUQqVU9YVY8Whi6XnzD7d2CBjVCb0G4z6rA1Ot3o+py+haaiF9uHTYWAYiDwlz7WAiJaiS3nWGzVRFfH5adgcfvwrRD0FDwHJahEJOEu/MFM1RYAh2Q+ywEPFlPhmdGdlFBr+18889mwkqpE4C2NbP2bplW/4eZrnEgetkkmC6+UxNWgY/iE8Q/q1bnBCCfAwSS0D45LoJ+EGCuoev2Wz56kYbkOIYrolCEPAsxAOHMiSUHxo9aIHQiglPK3yurcvWOB9n/yQHQlY0FMpQOUP5RPrJGQfCIBdqnKqizWGN+z1MprKezz+mMbIh94kxphw4WmYe7Jc4+MtEExAAxvHvi1zsEYJFRueumijZFAqR6urr3xI7QWRcFFrssYYf9L//UH3et2lBd4jVU+QBJeLBZ/+0n77ygcfhTvVdW43JYDDWCocAhgcPkCXSVtS6RyX1LyHRWD35eDAIXsaYPBUwyb1aa9kF7JZU6/WquJcPLwnFka3p7cPO1n+RrQ08ites+1viCEK9FqBtb76lmRmfWcWtJ0eNZNr3abarqrOkLM4WlkQ8cng7KxHJM4HH6jlzShhBY7iRYCXcPe35wGwNualpDwQD//q4TY2dOzptaUwhKZwJ0UOU7QLnUu+YIdCHqeXPm5WkmmpcdQsynO39Z5784rANaI81L5YfoRqXWJIsj2FPYgGZqY2xIOpMf7AC4pinj9wuLMHs6FPO1NpQolct1w3O/d22FGneIgrXTQWdCvQqmP/ZNpgZutgxsnP3P9rmwME2PUlWIpCRC4M2gCx3ItPrSHn4aq+2WRftbrXdgj5eb/0v8aZbkeeiMy47KwuzSuyj1uil13Ep6suijueB547O4m9p9NO4reB8Q0TafeZUEe/JMaHT7lcTDrQey7jKfGv4CWjXPdnlE32wuxtaASqdGtdxYa3TTb0huj5jO1x3VM/W++osQk9VztlTCpkv5Knwp1EzJ998uviaH15jDNYDFqZ6StyUQIwoM42AQFA85+NJSA5yECEwaKtukMpj8sMmDibXpJx8etsGQmrulsS2jpYOEhARcalqHaqbVEBNYqQcGu2iVmqkng/sCg5GWih2hGWqvN7EcGrLdzgTRil7KEo0swPPajFaOxIm/r6Tmyp42sXS5+/nVVYMxkwbUaq6RahcMxD0DLy7Bh6Oj3Qr/P6q0z1mU2WqxKB6l7doQPyOEUuMSn+2gk0Ss2CK7HwWSIOl9d1uHyO318Y8cbhXemq0LStDpLfkeDb49O6wHsp95f1PjK4heu9jgFOSvUOIG+hBqGLgm4Ls8IYEj+sESPvucANVB4WGxPZpZnR7lspzgmJSSjmQoo4eqGmFaZfwuC2vFtGwLIGDPTTPn1Cq6rRp6hY/vXRDrow+Ap0Rrrr1AesbLhC2S09EMO9NMhJTg+vwbQ3pNBRBdiqhVVbkYKKdttPUEbPF3BO9yTDZfQBLXXApjgRUj2wLMsKwG+s2vtBfVP+nMulfEHZZEtrc/dLhT6esKTcnikEoSB7DG4XrPGoeIVrbdqLU7X+5F2dOMFDffyMbZfKxxHu5lVqcIdEdc5TmdVw1GP+7RNeGgZXE4eJL2In4jnvND3rdTbU//7AmD7nO0Wq65MhTLU8XKB0HZ8+3Vq0xHOV8k8Xnlv3gDEA+zah86s4DGkgacwgaSgAwIBEqKBnASBmeNVZtGHMZmzgdHmm+OkHEQbz+MuBtN5qwhDBiCE32nFSiMOiYZiY5/PIwZv+epbt4ROH/Nj08Q05NNegzLJ4nM4WWkY5hjohLbEK2Z4sElAE5G94yEAPwx1NYphR3zyPJSk9NTmfgHvatyDZHSHDkKwNGDzvmFv6qERJk+Zkf5rNIVnU3+QUCB9zP5EKezV4h7vn1v12OmdjQ==

@RussKahler1970
Copy link
Author

Sorry, I failed to add that the Kerberos.net user and windows user for Chrome are the same.

@RussKahler1970
Copy link
Author

Its highly possible I have something wrong elsewhere. do you know how to get more info on why it failed? what tool can I use to trace the failed Authentication in windows/IIS?

@SteveSyfuhs
Copy link
Collaborator

Alright, let's see:

Chrome:

image

Kerberos.NET

image

There's a noticeable difference in the structure because the top-level structures are encoded differently. You can see the differences in the bold headers. I also noticed the tool (bruce kdecode) took an extra second to process it, meaning it was searching for the structure in the blob. That would suggest the output is encoded wrong. Maybe there is a bug in Kerberos.NET.

@RussKahler1970
Copy link
Author

the SNAME is different too:
for Chrome is HTTP/webtest01.salelytics.local
for Kerberos.Net its host/webtest01.salelytics.local

Should I use http/webtest01.salelytics.local when I get the ticket?

   var ticket = await kClient.GetServiceTicket("**host/webtest01.salelytics.local**");

@RussKahler1970
Copy link
Author

I am using this to encode the ticket. Is that right for windows IIS?
Convert.ToBase64String(ticket.EncodeGssApi().ToArray())

@SteveSyfuhs
Copy link
Collaborator

Okay, the difference in decoding is a bug in Bruce itself, not the library.

image

This shows it's decoding correctly.

the SNAME is different too:
for Chrome is HTTP/webtest01.salelytics.local
for Kerberos.Net its host/webtest01.salelytics.local

This is a good candidate for testing next. HTTP is an alias for HOST in Windows, but if you have an explicit HTTP SPN registration that will take priority.

Convert.ToBase64String(ticket.EncodeGssApi().ToArray())

Is fine.

@wfurt
Copy link
Member

wfurt commented Dec 1, 2023

Note that the Negotiate protocol has its own ASN1 structure e.g. it is more that just a ticket. Does Kerberos.Net implement RFC 4559?

and the name is different e.g. HTTP vs host. That is essentially different SPN, right?

@SteveSyfuhs
Copy link
Collaborator

That's what EncodeGssApi does. Poorly named, but does the business correctly.

public ReadOnlyMemory<byte> EncodeGssApi()
{
    var token = GssApiToken.Encode(Kerberos5Oid, this);

    var negoToken = new NegotiationToken
    {
        InitialToken = new NegTokenInit
        {
            MechTypes = new[] { Kerberos5Oid },
            MechToken = token
        }
    };

    return GssApiToken.Encode(SPNegoOid, negoToken);
}

@SteveSyfuhs
Copy link
Collaborator

Although... the KVNO on both the chrome and kerb.net tickets are the same, which given that it's non-zero would suggest they're the same service principal too.

Are you seeing anything on the web server side in the event logs indicating why it's failing?

@RussKahler1970
Copy link
Author

I see this in the iis log.
2023-12-01 17:24:45 10.43.128.151 POST /SuperAssociateRuss/api/IncomingEvent/ - 80 - 10.43.242.148 - - 401 1 2148074248 2617

I don't see anything in Event Viewer at this tine. I can do more search on the server.

@RussKahler1970
Copy link
Author

One other note on this. the Kerberos ticket generated with chrome works and validates. The site in question requires windows authentication and only has Negotiate as the only provider.

@RussKahler1970
Copy link
Author

I tried http/webtest01.salelytics.local and it failed too.

@wfurt
Copy link
Member

wfurt commented Dec 1, 2023

BTW is there reason why you use Kerberos.net primitives instead of HttpClient directly - just curious.

@RussKahler1970
Copy link
Author

well the end goal is for this to run in a linux container that is not joined to our domain. I was hoping to use Kerberos.Net to get a kerberos token and use it for authentication to a site that requires windows authentication. my containers will be running in AWS Fargate/ECS serverless environmennt in a vpc that is connected to our domain.

@SteveSyfuhs
Copy link
Collaborator

Okay, I see what the problem might be. This is interesting.

The chrome message is decoding with OIDs
1.3.6.1.5.5.2 -- SPNEGO
1.2.840.113554.1.2.2 -- Kerberos

And the Kerberos.NET message is decoding as
1.3.6.1.5.5.2 -- SPNEGO
1.3.6.1.5.2 -- Kerberos

Which is abnormal because 1.3.6.1.5.2 is not supposed to be an OID Kerberos.NET understands. We should be using 1.2.840.113554.1.2.2.

But we aren't because of this change: https://github.com/dotnet/Kerberos.NET/blame/7be209d7549417cf0d4fdd178266417c39cc7efe/Kerberos.NET/Entities/MechType.cs#L15

Oops. That's just wrong one way or another so it needs to be fixed anyway, so let's see if this fixes it.

@RussKahler1970
Copy link
Author

the .Net 7 is not working to build a credential cache for the user either.

@RussKahler1970
Copy link
Author

Is there a way to get pull or build that I could test? I am currently using the nuget package form nuget.org

@SteveSyfuhs
Copy link
Collaborator

Yeah, I'm going to push up a prelease package.

@SteveSyfuhs SteveSyfuhs mentioned this issue Dec 1, 2023
Merged
4 tasks
@RussKahler1970
Copy link
Author

sweet lust let me know when it up there I can download and test it out.

@SteveSyfuhs
Copy link
Collaborator

Hot off the press: https://www.nuget.org/packages/Kerberos.NET/4.6.48-gbe643a489a

It'll take a minute to index.

@RussKahler1970
Copy link
Author

Sweet first test but I got back 200!!!!
thanks for the quick response on this. I will do more testing from here..

@SteveSyfuhs
Copy link
Collaborator

I've merged that fix. I don't expect you'll see any other issues related to this in particular. I'll get a proper release of the package out this weekend or early next week once I've figured out how to get a proper test on this.

@RussKahler1970
Copy link
Author

Thanks for all your help on this.

@RussKahler1970
Copy link
Author

Is there someplace I can go to get more info on this package? How best to use it for high volume of calls using Kerberos tickets, cache, refreshing, etc.

@SteveSyfuhs
Copy link
Collaborator

Here's as good a place as any, though in a separate issue preferably. There isn't much in the way of one-size-fits-all guidance especially because if you're using this library it's likely for reasons that don't normally fit the usage of other libraries like the standard GSS libraries.

@RussKahler1970
Copy link
Author

RussKahler1970 commented Dec 4, 2023 via email

@SteveSyfuhs
Copy link
Collaborator

Just create an issue and put a label on it as a question.

@DanielMGoldberg
Copy link

Hi!
I have a similar issue, I'm currently getting 401 whenever I set use defaultcredentials to false.

For now I'm using a keytab and use the authenticate function in order to get a valid token, whenever I try to use it in order to access a third party api I'm getting the mentioned error 401.

Thanks

@SteveSyfuhs
Copy link
Collaborator

SteveSyfuhs commented Jun 10, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@SteveSyfuhs @wfurt @RussKahler1970 @DanielMGoldberg