Negotiate/SPNego auth is not working from PowerShell Core

[CJHarmath]

Description

When using Powershell Core 6.1 from a domain joined Windows 10 to call a REST API on a trusted MIT Kerberos realm host running on RHEL 7, the authentication fails with NTLMSSP.
The Linux server responds with Negotiate and NTLM, but only NTLM is being used which fails.
The expectation is to do Negotiate/SPNego just as PowerShell 5.1 would do.
Looking at the existing issues or known limitations I did not see thing being called out as not supported.

Prerequisites

• AD domain with a client machine
• MIT Kerberos realm with Linux
• Trust setup between the 2 realms ( AD and MIT Kerberos ) RedHat Windows integration docs - Part 2
• Setup a web server with kerberos Example with Apache
• Test spnego from PowerShell 5 then from PowerShell 6.1 Core and compare the results

Steps to reproduce

Invoke-RestMethod -UseDefaultCredentials https://mykerberosSite.domain.com

Expected behavior

The expected behaviour is to perform Negotiate / SPNego / Kerberos first which would succeed in properly configured Kerberos environment.

Actual behavior

Invoke-RestMethod -UseDefaultCredentials https://mykerberosSite.domain.com
Invoke-RestMethod : Response status code does not indicate success: 401 (Unauthorized).
At line:1 char:1
+ Invoke-RestMethod -UseDefaultCredentials https..

More details

Packet capture from wireshark
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.15063; en-US) PowerShell/6.1.0
Host: mykerberosSite.domain.com

HTTP/1.1 401 Unauthorized
Date: Mon, 17 Sep 2018 15:05:49 GMT
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 0

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.15063; en-US) PowerShell/6.1.0
Authorization: Negotiate ****************==
Host: mykerberosSite.domain.com

HTTP/1.1 401 Unauthorized
Date: Mon, 17 Sep 2018 15:05:49 GMT
Server: Apache-Coyote/1.1
WWW-Authenticate: NTLM
Content-Length: 0

Environment data

> $PSVersionTable
Name                           Value
----                           -----
PSVersion                      6.1.0
PSEdition                      Core
GitCommitId                    6.1.0
OS                             Microsoft Windows 10.0.15063 
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Workaround

Set the envvar to not use the sockets http handler

$env:DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0

[CJHarmath]

Just learned about the SocketsHttpHandler and that we can turn that off.
Haven't yet read and understood the whole thing, but wanted to quickly post and update in case others reading this.

So basically we can disable this new sockets http handler via an env var and things will work the old way

$env:DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0

i.e.: spnego will be used.

This is the same behavior with .NET Core 2.1 with HttpClient.

does not work by default

var handler = new HttpClientHandler
            {
                UseDefaultCredentials = true,
                AllowAutoRedirect = true,
            };
using (var client = new HttpClient(handler))
            {
                var res = client.SendAsync(new HttpRequestMessage(HttpMethod.Get, uri)).GetAwaiter().GetResult();
                System.Console.WriteLine(res);
            }

works

AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false);
var handler = new HttpClientHandler
            {
                UseDefaultCredentials = true,
                AllowAutoRedirect = true,
            };
using (var client = new HttpClient(handler))
            {
                var res = client.SendAsync(new HttpRequestMessage(HttpMethod.Get, uri)).GetAwaiter().GetResult();
                System.Console.WriteLine(res);
            }

Creds goes to this SO post

[markekraus]

If I'm reading dotnet/corefx#32328 this will be fixed when we move to CoreFX 3.0+

[CJHarmath]

yes, that's correct.
in the meantime, either don't use CName or disable SocketsHttpHandler as shown above.

This issue has been marked as external and has not had any activity for 1 day. It has been be closed for housekeeping purposes.

[CJHarmath]

Just confirmed with PowerShell Core 7 preview 3 that Kerberos is now working properly on both Windows and Linux with CNames. Sweet!
Thanks!