http.sys: Allow configuring HTTP_AUTH_EX_FLAGs as options

evgenykotkov · evgenykotkov · commit 7489786de9e6 · 2023-11-02T20:13:57.000+01:00
The native HTTP.sys API offers two extended authentication flags: - `HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING` and - `HTTP_AUTH_EX_FLAG_CAPTURE_CREDENTIAL` that can be used by users to fine-tune their Windows authentication setups. For instance, the `HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING` flag can be used to avoid having to authenticate every request and make the authentication session-based, thus reducing the overall number of requests and improving the high-latency scenarios. Enabling it can be used to achieve the same behavior as with the `authPersistNonNTLM` option in IIS. (See #13634) This commit exposes both flags as options in the authentication manager. Because setting the extended flags requires a different property type (`HttpServerExtendedAuthenticationProperty`), we take additional precaution to only use that property type if we actually have the extended flags to set, and use the original `HttpServerAuthenticationProperty` otherwise.
diff --git a/src/Servers/HttpSys/src/AuthenticationManager.cs b/src/Servers/HttpSys/src/AuthenticationManager.cs
@@ -63,6 +63,19 @@ public bool AllowAnonymous
     /// </summary>
     public string? AuthenticationDisplayName { get; set; }
 
+    /// <summary>
+    /// If true, the Kerberos authentication credentials are cached. Kerberos or Negotiate
+    /// authentication must be enabled. The default is false.
+    /// </summary>
+    public bool EnableKerberosCredentialCaching { get; set; }
+
+    /// <summary>
+    /// If true, the server captures the caller's credentials and uses them for Kerberos
+    /// or Negotiate authentication. Kerberos or Negotiate authentication must be enabled.
+    /// The default is false.
+    /// </summary>
+    public bool CaptureCredential { get; set; }
+
     internal void SetUrlGroupSecurity(UrlGroup urlGroup)
     {
         Debug.Assert(_urlGroup == null, "SetUrlGroupSecurity called more than once.");
@@ -87,18 +100,41 @@ private unsafe void SetUrlGroupSecurity()
         {
             authInfo.AuthSchemes = authSchemes;
 
+            authInfo.ExFlags = HttpApiTypes.HTTP_AUTH_EX_FLAGS.NONE;
+
+            if (EnableKerberosCredentialCaching)
+            {
+                authInfo.ExFlags |=
+                    HttpApiTypes.HTTP_AUTH_EX_FLAGS.HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING;
+            }
+
+            if (CaptureCredential)
+            {
+                authInfo.ExFlags |=
+                    HttpApiTypes.HTTP_AUTH_EX_FLAGS.HTTP_AUTH_EX_FLAG_CAPTURE_CREDENTIAL;
+            }
+
             // TODO:
             // NTLM auth sharing (on by default?) DisableNTLMCredentialCaching
-            // Kerberos auth sharing (off by default?) HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING
             // Mutual Auth - ReceiveMutualAuth
             // Digest domain and realm - HTTP_SERVER_AUTHENTICATION_DIGEST_PARAMS
             // Basic realm - HTTP_SERVER_AUTHENTICATION_BASIC_PARAMS
 
+            HttpApiTypes.HTTP_SERVER_PROPERTY property;
+            if (authInfo.ExFlags != HttpApiTypes.HTTP_AUTH_EX_FLAGS.NONE)
+            {
+                // We need to modify extended fields such as ExFlags, set the extended auth property.
+                property = HttpApiTypes.HTTP_SERVER_PROPERTY.HttpServerExtendedAuthenticationProperty;
+            }
+            else
+            {
+                // Otherwise set the regular auth property.
+                property = HttpApiTypes.HTTP_SERVER_PROPERTY.HttpServerAuthenticationProperty;
+            }
+
             IntPtr infoptr = new IntPtr(&authInfo);
 
-            _urlGroup.SetProperty(
-                HttpApiTypes.HTTP_SERVER_PROPERTY.HttpServerAuthenticationProperty,
-                infoptr, (uint)AuthInfoSize);
+            _urlGroup.SetProperty(property, infoptr, (uint)AuthInfoSize);
         }
     }
 
diff --git a/src/Servers/HttpSys/src/PublicAPI.Unshipped.txt b/src/Servers/HttpSys/src/PublicAPI.Unshipped.txt
@@ -36,3 +36,7 @@ Microsoft.AspNetCore.Server.HttpSys.IHttpSysRequestTimingFeature
 Microsoft.AspNetCore.Server.HttpSys.IHttpSysRequestTimingFeature.Timestamps.get -> System.ReadOnlySpan<long>
 Microsoft.AspNetCore.Server.HttpSys.IHttpSysRequestTimingFeature.TryGetElapsedTime(Microsoft.AspNetCore.Server.HttpSys.HttpSysRequestTimingType startingTimestampType, Microsoft.AspNetCore.Server.HttpSys.HttpSysRequestTimingType endingTimestampType, out System.TimeSpan elapsed) -> bool
 Microsoft.AspNetCore.Server.HttpSys.IHttpSysRequestTimingFeature.TryGetTimestamp(Microsoft.AspNetCore.Server.HttpSys.HttpSysRequestTimingType timestampType, out long timestamp) -> bool
+Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager.CaptureCredential.get -> bool
+Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager.CaptureCredential.set -> void
+Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager.EnableKerberosCredentialCaching.get -> bool
+Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager.EnableKerberosCredentialCaching.set -> void
diff --git a/src/Servers/HttpSys/test/FunctionalTests/AuthenticationTests.cs b/src/Servers/HttpSys/test/FunctionalTests/AuthenticationTests.cs
@@ -400,6 +400,60 @@ public async Task AuthTypes_DisableAutomaticAuthentication(AuthenticationSchemes
         }
     }
 
+    [ConditionalTheory]
+    [InlineData(AuthenticationSchemes.Negotiate)]
+    [InlineData(AuthenticationSchemes.NTLM)]
+    [InlineData(AuthenticationSchemes.Negotiate | AuthenticationSchemes.NTLM)]
+    public async Task AuthTypes_EnableKerberosCredentialCaching(AuthenticationSchemes authType)
+    {
+        using (var server = Utilities.CreateDynamicHost(out var address, options =>
+        {
+            options.Authentication.Schemes = authType;
+            options.Authentication.AllowAnonymous = DenyAnoymous;
+            options.Authentication.EnableKerberosCredentialCaching = true;
+        },
+        httpContext =>
+        {
+            // There doesn't seem to be a simple way of testing the `EnableKerberosCredentialCaching`
+            // setting, but at least check that the server works.
+            Assert.NotNull(httpContext.User);
+            Assert.NotNull(httpContext.User.Identity);
+            Assert.True(httpContext.User.Identity.IsAuthenticated);
+            return Task.FromResult(0);
+        }, LoggerFactory))
+        {
+            var response = await SendRequestAsync(address, useDefaultCredentials: true);
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        }
+    }
+
+    [ConditionalTheory]
+    [InlineData(AuthenticationSchemes.Negotiate)]
+    [InlineData(AuthenticationSchemes.NTLM)]
+    [InlineData(AuthenticationSchemes.Negotiate | AuthenticationSchemes.NTLM)]
+    public async Task AuthTypes_CaptureCredential(AuthenticationSchemes authType)
+    {
+        using (var server = Utilities.CreateDynamicHost(out var address, options =>
+        {
+            options.Authentication.Schemes = authType;
+            options.Authentication.AllowAnonymous = DenyAnoymous;
+            options.Authentication.CaptureCredential = true;
+        },
+        httpContext =>
+        {
+            // There doesn't seem to be a simple way of testing the `CaptureCredential`
+            // setting, but at least check that the server works.
+            Assert.NotNull(httpContext.User);
+            Assert.NotNull(httpContext.User.Identity);
+            Assert.True(httpContext.User.Identity.IsAuthenticated);
+            return Task.FromResult(0);
+        }, LoggerFactory))
+        {
+            var response = await SendRequestAsync(address, useDefaultCredentials: true);
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        }
+    }
+
     private async Task<HttpResponseMessage> SendRequestAsync(string uri, bool useDefaultCredentials = false)
     {
         HttpClientHandler handler = new HttpClientHandler();
diff --git a/src/Shared/HttpSys/NativeInterop/HttpApiTypes.cs b/src/Shared/HttpSys/NativeInterop/HttpApiTypes.cs
@@ -602,7 +602,7 @@ internal struct HTTP_SERVER_AUTHENTICATION_INFO
         internal byte ReceiveMutualAuth;
         internal byte ReceiveContextHandle;
         internal byte DisableNTLMCredentialCaching;
-        internal byte ExFlags;
+        internal HTTP_AUTH_EX_FLAGS ExFlags;
         HTTP_SERVER_AUTHENTICATION_DIGEST_PARAMS DigestParams;
         HTTP_SERVER_AUTHENTICATION_BASIC_PARAMS BasicParams;
     }
@@ -699,6 +699,14 @@ internal enum HTTP_AUTH_TYPES : uint
         HTTP_AUTH_ENABLE_KERBEROS = 0x00000010,
     }
 
+    [Flags]
+    internal enum HTTP_AUTH_EX_FLAGS : byte
+    {
+        NONE = 0x00,
+        HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING = 0x01,
+        HTTP_AUTH_EX_FLAG_CAPTURE_CREDENTIAL = 0x02,
+    }
+
     [Flags]
     internal enum HTTP_CREATE_REQUEST_QUEUE_FLAG : uint
     {
