Скачать или смотреть How to Configure Kerberos for Windows Authentication in ASP.NET Core on IIS

Learn how to configure default authentication using `Kerberos` for Windows Authentication in ASP.NET Core on IIS, preventing NTLM usage.
---
This video is based on the question https://stackoverflow.com/q/68122291/ asked by the user 'Jaroslav Mesik' ( https://stackoverflow.com/u/1766589/ ) and on the answer https://stackoverflow.com/a/69488549/ provided by the user 'Jaroslav Mesik' ( https://stackoverflow.com/u/1766589/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Configure Kerberos for Windows Authentication in ASP.NET Core on IIS

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
How to Configure Kerberos for Windows Authentication in ASP.NET Core on IIS

When it comes to securing applications with proper authentication mechanisms, developers often face the challenge of configuring the right settings. One common requirement is to use Kerberos for Windows Authentication in ASP.NET Core applications hosted on IIS, while preventing the fallback to NTLM. In this guide, we'll walk through the necessary steps to achieve this configuration effectively.

Understanding the Problem

You may have configured the authentication settings in your ASP.NET Core application and in IIS to use Kerberos, but upon testing, tools like Fiddler show that NTLM is still being used. This indicates that the configuration is not functioning as intended. The following points will help clarify the situation:

Expectations: You want to ensure that your application uses Kerberos as the authentication method.

Current Setup: Windows authentication is enabled in IIS with Kerberos as a provider; however, NTLM is still being utilized.

Configuring Authentication in ASP.NET Core

To start leveraging Kerberos, you need to ensure that the server is set up correctly. Here's how to do it step by step:

1. Modify Startup Class

In your ASP.NET Core application, configure the authentication method in the Startup.cs file as follows:

[[See Video to Reveal this Text or Code Snippet]]

This code snippet ensures that the application is set to use the Negotiate scheme, which allows for the negotiation of the authentication protocol.

2. Set Up IIS Authentication

In your Internet Information Services (IIS) settings, make sure:

Windows Authentication is enabled.

All other authentication methods (like Basic Authentication or Anonymous Authentication) are disabled.

Enabled Providers: Ensure that Negotiate is set before NTLM in the order of providers.

This can often be done through the IIS management console.

Troubleshooting NTLM Fallback

Despite your configurations, if you are still observing NTLM being used, the issue likely lies outside your application code. Here are steps to diagnose and fix the problem:

3. Check Windows Server Configuration

Open Group Policy Editor: To access the configuration settings, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

Review Policies: Look for policies related to authentication methods. Specifically, ensure policies allow for Kerberos authentication and check to see if NTLM is being forced. Common policies to check include:

Network security: LAN Manager authentication level.

Network security: Restrict NTLM: Incoming NTLM traffic.

4. Ensure Proper SPN Registration

If you’re in a domain environment, ensure that the Service Principal Name (SPN) is correctly registered for your IIS server. If the SPN is not set up properly, Kerberos authentication will fail and NTLM will be used instead.

5. Restart Services

After making changes to the server configuration or group policy settings, ensure to restart the relevant services or the server itself. This will help to apply the new settings.

Conclusion

By following the configuration steps and troubleshooting tips outlined above, you should be able to successfully set up Kerberos as the authentication method for your ASP.NET Core application running on IIS. Remember that server-side configurations can often have a significant impact on authentication behavior, and careful attention to these settings is crucial.

Now, you're equipped to avoid falling back to NTLM and ensure the robust security that Kerberos authentication provides.