HttpClient - Authenticating NetworkCredentials on Fedora throws InvalidToken exception

[jurijr]

Description

When using HttpClient with Windows NTLM Authentication / Kerberos on Fedora Linux, using valid credentials authentication throws exception:

System.Net.Http.HttpRequestException: Authentication validation failed with error - InvalidToken.
   at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, TokenImpersonationLevel impersonationLevel, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Program.<Main>$(String[] args) in /Program.cs

Reproduction Steps

c# console app "NtlmTest":

HttpClientHandler handler = new ()
{
    Credentials = new System.Net.NetworkCredential(args[2], args[3], args[1]),
    PreAuthenticate = false,
    UseDefaultCredentials = false
};

using HttpClient client = new (handler);
try
{
    HttpResponseMessage response = await client.GetAsync(args[0]);
    Console.WriteLine($"Status: {response.StatusCode}");
    string content = await response.Content.ReadAsStringAsync();
    Console.WriteLine(content);
}
catch (Exception ex)
{
    Console.WriteLine($"Error: {ex}");
}

run with args:

0. url
1. domain
2. user
3. password

Build exe for testing:
dotnet publish -c Release -r linux-x64 /p:PublishSingleFile=true /p:PublishTrimmed=true /p:SelfContained=true

Fedora docker file:

FROM fedora:latest
RUN dnf install -y libicu curl libcurl ca-certificates krb5-workstation krb5-libs krb5-auth-dialog openssl-libs zlib gssntlmssp  \
    && dnf clean all
COPY NtlmTest NtlmTest
RUN chmod +x NtlmTest
CMD ["/NtlmTest", "http://host.docker.internal:8080", "DOMAIN", "USER", "PASSWORD"]

build docker:
docker build -t fedora-demo .

run docker:
docker run --rm fedora-demo

Expected behavior

Should return 200 (OK), like on Windows or other Linux distrubutions (like Ubuntu).

Actual behavior

Throws exception

Regression?

No response

Known Workarounds

No response

Configuration

Tested as not working on .NET9, NET10RC running Fedora x64

Other information

Server is running on Windows only accepting NTLM, Kerberos Auth.

[wfurt]

If your server er only accept NTLM do you have gssntlmssp package installed? There is also managed implementation but it is not used by default on Linux. You can explore #95725

[jurijr]

If your server er only accept NTLM do you have gssntlmssp package installed? There is also managed implementation but it is not used by default on Linux. You can explore #95725

1. gssntlmssp is already installed as part of a issue reproduction Fedora docker file shows. Server allows Ntml and Kerberos.

2. I have tested Managed implementation and ended up with
   PreAuthenticate=true = 401 result
   PreAuthenticate=false = InvalidToken

   <ItemGroup>
       <RuntimeHostConfigurationOption Include="System.Net.Security.UseManagedNtlm" Value="true" />
   </ItemGroup>