Bug Report: Authentication Validation Error (GenericFailure) in .NET8

[korovindenis]

Description

When executing the provided code snippet in a .NET 8 project, an HttpRequestException is thrown with the message Authentication validation failed with error - GenericFailure. This issue occurs when attempting to send an HTTP request using HttpClient with Kerberos authentication and utilizing default credentials.

Reproduction Steps

1. Create a new .NET 8 project.
2. Add the following code to the Program.cs file:

using System.Net;
class Program
{
    static async Task Main(string[] args)
    {

        var handler = new HttpClientHandler
        {
            UseDefaultCredentials = true,
        };

        using (var client = new HttpClient(handler))
        {
            try
            {
                HttpResponseMessage response = await client.GetAsync("...");
                response.EnsureSuccessStatusCode();

            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }
    }
}

3. Run the project.

Expected behavior

The HTTP request is successfully sent, and the response is processed without any exceptions.

Actual behavior

System.Net.Http.HttpRequestException: Authentication validation failed with error - GenericFailure.
   at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Program.Main(String[] args) in C:\...\Program.cs:line 16

Regression?

In .NET 6 this issue does not occur.

Known Workarounds

• Changing the HTTP version to HTTP/1.0 by setting client.DefaultRequestVersion = HttpVersion.Version10.
• Using .NET 6 where this issue does not occur.

Configuration

• .NET SDK Version: .NET8

• Operating System: Win10

• Server: Using gokrb5 Kerberos library

Other information

The problem may be related to the following code added in .NET 8:

runtime/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticationHelper.NtAuth.cs

Line 208 in eb765b7

// Tail response for Negotiate on successful authentication. Validate it before we proceed.

Additionally, in the gokrb5 library, there is a constant used for the WWW-Authenticate header set to the client upon successful authentication with HTTP code 200 . Could this be related to the issue?

[ManickaP]

@wfurt any thoughts / suggestions?

[wfurt]

This is going to be difficult to investigate IMHO without repro. The interesting part for me is the 1.0 vs 1.1 as workaround. That almost suggests the problem lives in session bases authentication somehow. (that may perhaps be verified with Connection: close header)
I would suggest to collect packet capture and internal traces and look for differences to start with.

[korovindenis]

1. The issue is reproducible even with HTTP version 1.0 when the client includes the header Connection: Keep-Alive. Transitioning to this HTTP version does not seem to be a good solution.

2. In HTTP version 1.1, setting the header Connection: close does not resolve the issue.

3. As a workaround, modifying the constant to ade0234568a4209af8bc0280289eca has been effective. This value is derived from RFC 4559.

[filipnavara]

Would it be possible for you to capture the connection trace with something like Fiddler or Proxyman and share it? I'd like to look at the exact authentication headers.

[korovindenis]

@filipnavara
fiddler logs:
client

GET / HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.19045)
Accept-Encoding: gzip, deflate, br

server

Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.

Secure Protocol: Tls12
Cipher: Aes128 128bits
Hash Algorithm: Sha256 ?bits
Key Exchange: ECDHE_RSA (0xae06) 255bits

== Server Certificate ==========
[Subject]
  XXXXXX

[Issuer]
  XXXXX

[Serial Number]
  5200008750F6793F7DC836B065000000008750

[Not Before]
  03.06.2024 18:36:06

[Not After]
  30.11.2024 18:36:06

[Thumbprint]
  AB11E40456F4AEC0B8CF672D24C083FE129C5224

[SubjectAltNames]
*.XXXX

HTTP/1.1 401 Unauthorized
Www-Authenticate: Negotiate
Www-Authenticate: NTLM
Www-Authenticate: Bearer
Www-Authenticate: Basic
X-Xss-Protection: 1; mode=block
Date: Wed, 31 Jul 2024 06:48:20 GMT
Content-Length: 0
Proxy-Support: Session-Based-Authentication

client

GET / HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.19045)
Accept-Encoding: gzip, deflate, br
Authorization: Negotiate xxxxxxxx==

server

HTTP/1.1 200 OK
Content-Length: 187
Content-Type: application/json
Www-Authenticate: Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
X-Xss-Protection: 1; mode=block
Date: Wed, 31 Jul 2024 06:48:20 GMT

But there is an error in the net8 application.