.NET Core SPNEGO 身份验证与 HttpClient [英] .NET Core SPNEGO Auth with HttpClient

问题描述

我目前正在编写一个简单的基于 .NET Core 的客户端，用于通过 WebHCat 与 Hadoop 集群进行交互，并且我正在尝试弄清楚如何使用 SPNEGO 进行身份验证，就像在 curl 或 Powershell Core 中一样.

I'm currently writing up a simple .NET Core based client for interacting with Hadoop Clusters via WebHCat and I'm trying to figure out how to authenticate with the SPNEGO as you would in something like curl or Powershell Core.

使用 Curl 我可以像这样查询 WebHCat 的状态端点:

Using Curl I am able to query the status endpoint of WebHCat like so:

curl "http://10.2.0.9:50111/templeton/v1/status" --negotiate -k -u :

同样的请求也可以在 Powershell Core 中执行:

The same request can also executed in Powershell Core:

$client = New-Object System.Net.WebClient;
$client.UseDefaultCredentials = $true;
$client.DownloadString("http://10.2.0.9:50111/templeton/v1/status");

但是，在与集群位于同一服务器上的 .NET Core 项目中运行以下内容时:

However when it comes to running the following in a .NET Core project sitting on the same server as the cluster:

using System;
using System.Net;
using System.Net.Http;
using System.Threading;
using System.Threading.Tasks;

namespace testauth
{
    class Program
    {
        static async Task Main(string[] args)
        {
            var host = "http://10.2.0.9:50111/templeton/v1/status";
            var handler = new HttpClientHandler
            {
                UseDefaultCredentials = true,
                AllowAutoRedirect = true,
            };
            using (var client = new HttpClient(new LoggingHandler(handler)))
            {
                var res = await client.SendAsync(new HttpRequestMessage(HttpMethod.Get, host));
            }
        }
    }

}

我收到以下错误:

Unhandled Exception: System.ComponentModel.Win32Exception: GSSAPI operation failed with error - An invalid status code was supplied (Server not found in Kerberos database).
   at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatusPal& statusCode)

客户端正在运行 .NET Core 2.1，如 this issue 中所述我应该能够将默认凭据传递给处理程序，它会按预期工作.

The client is running .NET Core 2.1 so as was mentioned in this issue I should just be able to pass default credentials into the handler and it would work as expected.

我也尝试过用 C# 编写我在 PowerShell Core 中使用的相同代码，尽管代码相同，但仍然会引发相同的错误?

I have also tried writing the same code that I used in PowerShell Core in C# and despite the code being identical it still throws the same error?

我能提供的唯一其他细节是，Kerberos 连接到只有一个用户的 Active Directory 实例，并且所有这些请求都是在使用 kinit 创建该用户的票证之后运行的.

The only other details I can give is that the Kerberos is connected to an Active Directory instance with only one user and all these requests are run after the ticket for that user have been created with kinit.

推荐答案

我设法找到了解决办法.使用 ASP.NETCore 2.1 他们引入了一个新的 SocketsHttpHandler，默认情况下用于请求.这意味着在某些平台上，它可能会覆盖我的请求中提供的 HttpHandler，因此默认为您应该使用的套接字处理程序:

I managed to find a fix. With ASP.NET Core 2.1 they introduced a new SocketsHttpHandler which is used by default for requests. This means that on some platforms it may override the HttpHandler provided in my request and so to default to the sockets handler you should use:

AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);

这解决了我的要求.

这篇关于.NET Core SPNEGO 身份验证与 HttpClient的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！