I've created a ASP .NET core 2.2 app which uses HTTP.SYS and Windows authentication:
.UseHttpSys(options =>
{
options.AllowSynchronousIO = true;
options.Authentication.Schemes = Microsoft.AspNetCore.Server.HttpSys.AuthenticationSchemes.Negotiate | Microsoft.AspNetCore.Server.HttpSys.AuthenticationSchemes.Kerberos;
options.Authentication.AllowAnonymous = false;
options.MaxConnections = null;
options.MaxRequestBodySize = 30000000;
options.UrlPrefixes.Add("http://192.168.1.1:5000");
});
and runs on my PC (using my current domain user, which is also admin). If I run Kerberos Authentication Tester, it shows me it's using NTLM (which is the backup plan for Negotiate when Kerberos is not available). And my app shows the authentication is Negotiate.
If I run Fiddler and turn on automatic authentication, and repeat the test, then Kerberos Authentication Tester shows None as authentication (expected!) while my app shows the authentication is Kerberos.
Why Kerberos Authentication Tester always falls back to NTLM?
PC is running Windows 10 1803.
Eventually I found the reason. I needed to specify the server fully qualified domain name rather than the machine IP in Kerberos Authentication Tester. And it magically worked. The token I got was an SPNEGO, not Kerberos, but my understanding is that SPNEGO tokens wraps Kerberos or NTLM. See this answer on SO