Support Impersonation for Authenticated User (or specific User) and Authentication Provider: Kerberos (Negotiate)
Juanito99 opened this issue ยท 9 comments
Hi!
In order to create Self-Service portals and to protect better it would be very useful if we could leverage IIS standard possibilities such as Impersonation for authenticated users plus Kerberos as provider
Thanks in advance
Polaris' auth story is growing. Folks like @jeremymcgee73 have been investigating some of this stuff. We'll get there. Thanks for opening this issue.
@tylerl0706 - If we want to say that the eventual port to Kestrel is going to have breaking changes I think I can crank out some simple code to leverage the built-in authentication schemes supported by HttpListener which are listed out here. I'm not sure how IntegratedWindowsAuthentication works on a domain joined Linux machine or how to easily test that but we could play around with it if you thought it would be interesting to look at. If we're trying to keep generic enough to avoid any breaking changes when we move to Kestrel (if that's possible) I think we should avoid this until after the port and then wrap some code to leverage their authentication middleware maybe?
I had Basic Auth working on a branch in my fork. But, I believe I hosed it up trying to merge from upstream. I believe negotiate wouldn't be hard to add from there.
My thoughts
_As far I know integration for current Linux distributions into Active Directory is done through either
Samba Winbind or System Security Services Daemon ( SSSD ).
SSSD is state of the art, is easily configured and works stable. SuSE and Redhat provide GUI wizards to leverage it to integrate into AD.
Linux geeks might use the manual way through Native LDAP, Kerberos, PAM and NSS component configuration.
I think Kerberos through SSSD should be the proper basement for Polaris._
@Juanito99 - I agree, partly. For Linux SSSD or Samba seems to be a great idea.
Will not work (not without a huge overhead of dependencies) for Mac Users.
I would recommend a platform independent implementation based on native Kerberos.
It is supported as "Negotiate" by the AuthenticationSchemes out of the box.
Why based on the plain .NET: As long as the system is domain bound native kerberos should work on all supported platforms, right?
@jhochwald Kerberos would be best, no doubt
I had Basic Auth working on a branch in my fork. But, I believe I hosed it up trying to merge from upstream. I believe negotiate wouldn't be hard to add from there.
Based on your patch: Should be relative easy to change it.
I believe for now we will just support Kerberos/NTLM auth on Windows only. The .NET core implementation of HTTPListener on Linux/Mac is not very well documented. I do have Negotiate/NTLM working on Windows currently. If you all could give it a try that would be helpful. #150
Another thought, HTTP traffic needs to be proxied on Linux for SSL. It may be possible to configure Kerberos/NTLM on the proxy as well. Something like this may work. https://github.com/stnoonan/spnego-http-auth-nginx-module