The Wayback Machine - https://web.archive.org/web/20220207132659/https://github.com/dotnet/aspnetcore/issues/40025
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Receiving 'The feature is not supported' in Microsoft.AspNetCore.Authentication.Negotiate #40025

Open
1 task done
daniilzaonegin opened this issue Feb 7, 2022 · 1 comment
Open
1 task done

Receiving 'The feature is not supported' in Microsoft.AspNetCore.Authentication.Negotiate #40025

daniilzaonegin opened this issue Feb 7, 2022 · 1 comment
Labels
area-runtime

Comments

@daniilzaonegin
Copy link

@daniilzaonegin daniilzaonegin commented Feb 7, 2022
edited

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

I created a simple application to test authentication in a linux container.

using Microsoft.AspNetCore.Authentication.Negotiate;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
    .AddNegotiate(options =>
    {
        if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
        {
            options.EnableLdap(settings =>
            {
                settings.Domain = "<domain_name>";
                settings.MachineAccountName = "<windows_host_name>";
            });
        }
    });

var app = builder.Build();

// Configure the HTTP request pipeline.

app.UseSwagger();
app.UseSwaggerUI();

app.UseAuthentication();

app.UseAuthorization();

app.MapControllers().RequireAuthorization();

app.Run();

UserController

namespace TestNegotiate.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    public class UsersController : ControllerBase
    {
        [HttpGet]
        public IActionResult GetUser()
        {
            var claims = User.Claims.Select(c => new { c.Value, c.Type });

            return Ok(
                new
                {
                    User.Identity?.Name,
                    User.Identity?.IsAuthenticated,
                    claims
                });
        }
    }
}

Dockerfile:

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
ENV KRB5_KTNAME=/app/srv-dms-k8s.keytab
RUN apt-get update \
&& apt-get install -y --no-install-recommends krb5-config krb5-user realmd adcli packagekit sssd sssd-tools
COPY TestNegotiate/krb5.conf /etc/krb5.conf
EXPOSE 80

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["TestNegotiate/TestNegotiate.csproj", "TestNegotiate/"]
RUN dotnet restore "TestNegotiate/TestNegotiate.csproj"
COPY . .
WORKDIR "/src/TestNegotiate"
RUN dotnet build "TestNegotiate.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "TestNegotiate.csproj" -c Release -o /app/publish

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "TestNegotiate.dll"]

During application start I receive an error:

System.DirectoryServices.Protocols.LdapException: The feature is not supported. 
   at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
   at System.DirectoryServices.Protocols.LdapConnection.Bind()
   at Microsoft.AspNetCore.Authentication.Negotiate.PostConfigureNegotiateOptions.PostConfigure(String name, NegotiateOptions options)
   at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
   at Microsoft.Extensions.Options.OptionsMonitor`1.<>c__DisplayClass10_0.<Get>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at System.Lazy`1.get_Value()
   at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
   at Microsoft.Extensions.Options.OptionsMonitor`1.Get(String name)
   at Microsoft.AspNetCore.Authentication.Negotiate.Internal.NegotiateOptionsValidationStartupFilter.<>c__DisplayClass2_0.<Configure>b__0(IApplicationBuilder builder)
   at Microsoft.AspNetCore.Mvc.Filters.MiddlewareFilterBuilderStartupFilter.<>c__DisplayClass0_0.<Configure>g__MiddlewareFilterBuilder|0(IApplicationBuilder builder)
   at Microsoft.AspNetCore.HostFilteringStartupFilter.<>c__DisplayClass0_0.<Configure>b__0(IApplicationBuilder app)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
   at Microsoft.AspNetCore.Builder.WebApplication.Run(String url)
   at Program.<Main>$(String[] args) in C:\Users\ruazed1\source\repos\TestNegotiate\TestNegotiate\Program.cs:line 34

Why this happens? Here is written it should work under linux https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-6.0&tabs=visual-studio#kerberos-authentication-and-role-based-access-control-rbac.

Expected Behavior

Authentication should work and resolve groups using LDAP.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

On local machine (where application is build):

❯ dotnet --info
.NET SDK (reflecting any global.json):
 Version:   6.0.101
 Commit:    ef49f6213a

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19043
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.101\

Host (useful for support):
  Version: 6.0.1
  Commit:  3a25a7f1cc

.NET SDKs installed:
  3.1.414 [C:\Program Files\dotnet\sdk]
  5.0.202 [C:\Program Files\dotnet\sdk]
  5.0.404 [C:\Program Files\dotnet\sdk]
  6.0.100 [C:\Program Files\dotnet\sdk]
  6.0.101 [C:\Program Files\dotnet\sdk]

On a container

root@25b23ba7824f:/app# dotnet --info

Host (useful for support):
  Version: 6.0.1
  Commit:  3a25a7f1cc

.NET SDKs installed:
  No SDKs were found.

.NET runtimes installed:
  Microsoft.AspNetCore.App 6.0.1 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.1 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET runtimes or SDKs:
  https://aka.ms/dotnet-download

Anything else?

No response
@daniilzaonegin
Copy link
Author

@daniilzaonegin daniilzaonegin commented Feb 7, 2022
edited

Probably I get this error, because my local container hasn't joined the domain and has machine name, not existent in ActiveDirectory and I shouldn't use windows machine name on linux container.

But I don't think the error is explaining me that. When I see the LdapException "feature is not supported", that means to me that everything is configured correctly, but feature is just not supported on linux.

Is there any way to get Claims using user credentials instead of machine credentials?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-runtime
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@javiercn @daniilzaonegin