Improve Kerberos-based auth experience #27527
Description
Summary
We've seen some feedback indicating that Kerberos auth is not usable in some E2E scenarios (@Tratcher can you please clarify this as none of the attendees of the meeting have context about this).
This issue tracks the work to identify all those experiences and later decide which ones we would like to address in 6.0 timeframe.
@blowdart thinks that this may be related to authentication delegation to SQL.
People with more context
Motivation and goals
The initial 3.x Negotiate handler provided only minimal functionality on linux. In 5.0 @JunTaoLuo did work to expand that to include roles. However, none of the partners have been able to validate the new 5.0 features yet, so we're still expecting feedback that we may need to address.
We're also still waiting for a proper Negotiate API from the runtime. We've been using reflection since 3.x. dotnet/runtime#29270
There have also been asks about delegating to SQL cross platform.
In scope
A list of major scenarios, perhaps in priority order.
Out of scope
Scenarios you explicitly want to exclude.
Risks / unknowns
How might developers misinterpret/misuse this? How might implementing it restrict us from other enhancements in the future? Also list any perf/security/correctness concerns.
Examples
Give brief examples of possible developer experiences (e.g., code they would write).
Don't be deeply concerned with how it would be implemented yet. Your examples could even be from other technology stacks.