I want to setup a web server so that it allows Kerberos authentication exclusively (no NTLM). I'm using ASP.NET Core (Blazor) with HTTP.sys.
I have managed to successfully setup both server and client so that Kerberos authentication works when I use the 'Negotiate' scheme:
builder.Services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
builder.WebHost.UseHttpSys(options =>
{
options.Authentication.Schemes = AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
options.UrlPrefixes.Add("http://+:80/AuthTest");
});
I have SPN and client trusted sites settings in place. When I browse to http://myhost.my.domain/AuthTest on client it authenticates successfully. Using Wireshark I've confirmed that Kerberos authentication is used, respective ticket is also shown with klist on client machine.
However, when I change a single line in my setup to use Kerberos auth scheme instead of Negotiate:
options.Authentication.Schemes = AuthenticationSchemes.Kerberos;
I can no longer enter my website - the browser displays a 401 error page.
In my original setup, server responded to initial request with 401 status code and WWW-Authenticate=Negotiate (...) header, after which browser asked KDC for Kerberos ticket and repeated request to my server with WWW-Authorization header. All good.
After changing the authentication scheme to AuthenticationScheme.Kerberos, server responds with 401 and WWW-Authenticate=Kerberos header, which browser seems to ignore - it doesn't send any subsequent requests, nor does it reach out to KDC.
I haven't been able to find any documentation on sending "Kerberos" as a value of WWW-Authenticate header (I've only found "Negotiate" documented). However, HTTP.sys has this option predefined, and sends such a header, which browser seems to ignore.
So, my question is: Is it valid to send "Kerberos" as a value of WWW-Authenticate header (can browsers understand it)? If so - what do I have to change in my setup to allow it to work (or what additional info should I provide)? If not - can Kerberos-only authentication be achieved with HTTP?
Yes and no. Kerberos as a mechanism is used in some HTTP-based protocols such as WinRM/WS-Man (the main transport for PSRemoting – which is likely why HTTP.sys has it as an option – but it is not used for regular "web browser" HTTP.
All browsers prefer Kerberos over NTLM when Negotiate is used. On the server side, it would be sufficiently secure to manually return 401 after authentication if the app detects that NTLM has been used.
(If you want to prevent an NTLM token from being sent for security reasons, that needs to be limited on the client side, it's useless to do it on the server side.)