Authenticating Web Requests with Kerberos.NET

I recently committed a couple sample projects to the Kerberos.NET library that shows how you can authenticate a web-based Kerberos ticket. My choice of platform is OWIN middleware because it most closely resembles how things work in ASP.NET Core, without actually going full-core.

The key class to look at is KerberosEndToEndMiddleware. It contains the necessary logic to handle detection and prompting for authentication:

Keep in mind that this is rudimentary sample. It doesn’t detect or create sessions, so any unauthenticated requests will be prompted to authenticate. You can try the sample by just launching the KerberosMiddlewareEndToEndSample project. It’ll start a console app and begin listening on localhost:9000. You can immediately try browsing to https://localhost:9000/api/kerberosE2E and you’ll get prompted for a username and password.

This authentication request will fail. You’ll notice in the console app an error has appeared saying that NTLM isn’t supported. This is for a couple reasons:

1. You may not be a domain user, on a domain-joined machine — this should be obvious, but you must be a member of a domain to do Kerberos.
2. You don’t have a principal in AD with an SPN mapping to your localhost — this is less obvious, but Active Directory doesn’t know what key to use to encrypt the ticket, so it falls back.

Both of these problems are a little too complicated to solve here, so just go ahead and hit any key — it’ll kick off a negotiation dance:

GET /api/KerberosE2E


Response: 
HTTP 401
WWW-Authenticate: Negotiate


GET /api/KerberosE2E
Authorization: Negotiate YIIHHAYGKwYBBQUCoIIHEDCCB...

Response:
HTTP 200
{
 "Name": "testntlm@identityintervention.com",
 "IsAuthenticated": true,
 "claims": [
  {
   "Value": "testntlm@identityintervention.com",
   "Type": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
 ]
}

The flow is a bit contrived because it’s executed manually, but it behaves the same way a browser will handle the responses — you can verify with fiddler or the F12 network tools.