'Kerberos authentication not working for .NET OWIN API + Angular web

I am having issues troubleshooting Kerberos login issues in intranet network with AD into our web application. Our application has this architecture, which is not very usual (but there are reasons for this and cannot be changed):

  • front end is Angular (13) SPA.
  • server.NET Framework 4.8 hosting Nancy API, uses OWIN stack - self hosted within WPF application or console/win service. The WPF self host is for specific customer needs. We do not use IIS, for server deploy we use .NET Core app + Kestrel. The problem is the same for WPF (.NET Framework) and .NET Core+ Kestrel hosting

How authentication is designed to work:

  • we support multiple inhouse/custom authention mechanism - one of them is Windows Authentication
  • since this is SPA front end in Angular and we issue our own bearer token, we only enforce Negotiate authentication on one API endoint
  • The authentication endpoint in the OWIN Startup class is configured like this:
            {
                // TODO: add better URL processing to distinguish the win auth endpoint, this is hard-coded but is specific to win auth plugin, should this be moved into plugin?
                return request.RawUrl.EndsWith("api/windows-authentication/login") 
                    ? AuthenticationSchemes.IntegratedWindowsAuthentication // = Ntlm | Negotiate
                    : AuthenticationSchemes.Anonymous;
            };

This basically means that once this endpoint is called it requires win auth (in the AD, this should work with Kerberos with NTLM fallback).

On the client side (in the browser), for the particular call to this endpoing we enforce withCredentials: true parameter:

this.httpClient.get<AuthenticationResponse>(this.url,
      {
        withCredentials: true
      })

This works locally (with local windows authentication - probably NTLM) and this DOES work at the customers sites and our local testing environment (client server, backend server, AD server) however only as long as NTLM is allowed by domain policy. Once we disable NTLM the authentication stops working.

I have tried analyzing the traffic with Wireshark and there seems to be NO relevant packet exchange between the client server and AD once the backend returns Untahthorized request - at that point browser should authenticate user against Kerberos and therefore there should be at least some traffic, no?

This is traffic on the client server, with browser when the win authentication should happen: enter image description here

Any idea what might be causing the problems?

.netangularowinkerberosntlm


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

detect events on powerpoint shapes from C#

detect events on powerpoint shapes from C#

What does "Beta: Use Unicode UTF-8 for worldwide language support" actually do?

What does "Beta: Use Unicode UTF-8 for worldwide language support" actually do?

Class not inheriting from object?

Class not inheriting from object?

What is a StickyLabel, and why does it sit in a ContextMenuStrip.Contols collection?

Using a BindingSource, how do I tell if I have changes pending?

Secure cookies flag always getting lost in first session after resetting IIS

Including Pictures in an Outlook Email

automapper map interface to interface or object

Union two list by property

Suggestions for designing complex LINQ code

VS 2022 - cannot change Target Platform to .Net 6.0 for a project created in VS 2019

How to programmatically derive Windows Downloads folder "%USERPROFILE%/Downloads"?