kerberos authentication in c# or Linux container

[hameedshk]

How to achieve kerberos authentication in dotnet core independent of underlying Linux or windows operating system?

Description

• We usually connect to MS SQL server either in Trusted_Connection=True(default windows authentication usually Active directory authentication) or username and password (credential maintained within scope of MS SQL sever)
• Now our dotnet application runs in openshift Linux containers via docker instruction set and connecting to SQL server , I can't use trusted connection as it's Linux distro But via username and password is a bad practice in terms of security practice.
• I have tried looking into kerberos libraries and nothing has helped here.

What I am looking or trying to achieve is when the application runs in Linux dotnet core ,I need to first authenticate the credentials in Active directory and then connect to SQL sever and fetch the data.

Configuration

• Which version of dotnet? 3.1
• What OS and version, and for Linux, what distro? Linux distro
• If you're using Blazor, which web browser(s) do you see this issue in? All web browser

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[danmoseley]

@joperezr would S.DS.Protocols API's help here?

[joperezr]

Not really unfortunately. In DirectoryServices we don’t implement the kerberos protocol directly, but instead call a native library that handles the authentication for us, which internally uses and implements kerberos. We do have an internal implementation of Kerberos which we use in System.Net.Http which @davidsh wrote but this isn’t publicly available (I believe ASP.Net uses it too, but via reflection). There was a plan to expose that publicly but I believe @davidsh was still working on the design, I’ll try to find the issue and reference it from here.

Other than that, I have seen third party implementations which are fairly complete, like one called Kerberos.Net.

[joperezr]

The issue I was thinking of is this one: #29270

The internal class we have today that knows how to perform Kerberos authentication is called NTAuthentication.

[wfurt]

There is NegotiateStream for anybody who needs Kerberos. I don't know if there is good way how to hook it in. I guess in worst case, you would need to create the authenticated Stream and then tunnel SQL through that.

[sudominmonk]

Is there any way this can be achieved?

• Dotnet core using kestrel server
• Hosted on a linux container
• Sql server connection with integrated security
  If possible using the impersonate user creds.

[wfurt]

the problem is that even with impresonification, you need credentials in you app @sudominmonk. If I understand @hameedshk correctly the concern is about credential management. AFAIK there are only two ways: authenticate with OS and use "DefaultCredentails" at .NET e.g. inherit your identity from OS or use explicit authentication, credentiasl and identity inside .NET.
Perhaps @HameedSH can clarify more.

[hameedshk]

@wfurt in simple words what I am trying to achieve is like windows authentication in Unix based server . Windows authentication authenticate the application via ldap protocol against directory services of course with proper credentials. I am trying to authenticate the credentials against AD and then connect to ms sql server .
I hope I am more clear now and also if you can share some articles regarding w.r.t explicit authentication in .net core independent of operating system.

[wfurt]

Ok. So you DO want your app to manage credentials. In that case I'm perhaps confused by the " But via username and password is a bad practice" note.

[wfurt]

#69920 was approved and should be done in 7.0. hat should allow some progress but I'm not sure how the managed API would interact with native bits.